Next.js's Critical Vulnerability CVE-2025-29927

In case you missed it, a few days ago (03/21/2025), Next.js was hit with a major security vulnerability. Here’s Fireship’s video about it:

This news was widely covered and even celebrated by Next.js haters, myself included

After looking into it a bit more, I found out that the two security experts who were behind both shaming and saving Next.js were… 🥁🥁🥁 Algerians.

Who are they?

Rachid Allam (zhero_)

Rachid Allam, 100% self-taught web vulnerability researcher.

from: zhero-web-sec.github.io/whoami

AKA zhero_ , His HackerOne profile speaks for itself.
He has hunted bugs in global apps you probably use every day (these are just the public ones):

Links:

• Blog: zhero-web-sec.github.io
• HackerOne: zhero_
• Intigriti: zhero_
• Immunefi: zhero
• X: zhero___

Yasser Allam (inzo_)

always hunting for the unseen

from: x.com/inzo____

Inzo_ seems to be the quiet one, but his activity is anything but quiet.
The guy is an epic gamer on a roll.

Links:

• X: inzo____
• HackerOne: inzo_

These two seem to be yin and yang (unless they’re actually the same person, lol).
After this Next.js banger, they also collaborated on tackling Remix.js, which led to uncovering a vulnerability in React Router.

The Algerian tech scene’s neglect of open-source contributions

A question worth asking: why wasn’t this covered in the Algerian tech scene?
What scene, you ask? (Exactly.)

Whether we like to admit it or not, tech in Algeria is mostly treated as a profession to put food on the table. It’s rarely celebrated in the public space. Here are 4 reasons why I think that is:

1. No north Star

There’s a lack of ambition to be part of something bigger. The internet is our portal to a world of possibilities and exposures.

2. It’s just a job

Most programmers, tech people, and companies treat this industry like a 9-to-5. Passion is rare.
Worse, people often mock those who code in their free time.

3. The bubble

Many Algerian devs speak two or more languages, yet they stay confined to local communities and companies—disconnected from the global tech world.

4. Underestimating the impact

We think open source is a waste of time. We don’t see local success stories, so we don’t believe in them.

To wrap up

I feel very proud and inspired by these two guys and I wish them more success to come in their bug bounty hunting and contributions. I hope other Algerian developers will aspire to tackle the world wide web and not just their localhosts.

Next.js and React suck btw.

-zackAJ