A serious denial-of-service (DoS) flaw in Next.js lets attackers crash self-hosted servers with a single HTTP request, using almost no resources on their end.
Security firm Harmony Intelligence found the issue while testing an AI tool, and it affects versions up to 15.5.4.
Next.js powers millions of websites, with over 3 million live deployments tracked online. About 55% of these run on self-hosted setups, including 80% of enterprise ones, leaving many exposed.
Apps on Vercel stay safe, but direct server exposures face risks. No CVE number exists yet, though experts suggest a CVSS score of 7.5 for high severity due to easy network access with no privileges needed.
How The Bug Works
The problem sits in Next.js’s cloneBodyStream function inside body-streams.ts.
This code copies incoming request streams in their entirety into server memory before the middleware processes them.
Without a size limit, a large stream can exhaust RAM, causing a crash. Attackers exploit this cheaply by streaming endless small data chunks.
They discard each chunk right after sending, keeping their memory use tiny possibly even on weak devices like a Raspberry Pi.
The server, however, buffers everything, creating a massive imbalance. Rate limits fail here since the flaw hits before middleware runs.
Tools like express-rate-limit or the Next.js body-parser limit also miss the mark. Harmony spotted it accidentally.
Their AI AppSec Agent tested a demo app for another flaw (CVE-2025-29927, an auth bypass) and triggered a crash via a proof-of-concept script. Further checks confirmed the core issue in Next.js itself.
Fixes and Protections
Vercel patched it in versions 15.5.5 (October 13, 2025) and 16.0.0, adding a 10MB buffer limit that throws errors on overflow. Upgrade immediately for complete safety.
As a workaround, deploy a reverse proxy, such as nginx, with client_max_body_size set to a low value, such as the default 1 MB.
This blocks oversized requests before they reach Next.js. Ensure no direct access to the app server route all traffic through the proxy. Load balancers help by shifting load, but size limits remain key.
Next.js codebased limits, like rate limiting or bodyParser.sizeLimit, do not stop this since it strikes early in the pipeline.
Self-hosters should review Vercel’s updated guide for proxy setups. This flaw highlights risks in popular frameworks despite heavy scrutiny.
Harmony notes that its AI agent uncovered what human reviewers missed, urging app owners to scan codebases proactively. Check deployments now to avoid downtime.
 flaw in Next.js lets attackers crash self-hosted servers with a single HTTP request, using almost no){kind=link}