“`html
A recently identified major flaw in the Next.js framework permits attackers to incapacitate self-hosted servers with a solitary HTTP request, necessitating minimal resources for execution.
Unearthed by analysts at Harmony Intelligence, the denial-of-service (DoS) vulnerability influences commonly utilized versions of the framework, including the most recent 15.x series before the fix.
This flaw is located in the cloneBodyStream function within body-streams.ts, a module tasked with duplicating streamed requests into memory before relaying them to middleware. In contrast to standard resource depletion attacks that necessitate overwhelming a network, this vulnerability takes advantage of the absence of size restrictions on the internal memory buffer.
As per the disclosure, an attacker has the ability to transmit an unbounded stream of data segments to the server. While the attacker might release each segment from their own memory right after sending, the Next.js server endeavors to buffer the complete stream in RAM.
This imbalance implies that a device with minimal capabilities, referred to by researchers as a “smart toaster,” can effectively bring down a potent enterprise server by depleting its memory.
Harmony Intelligence stumbled upon the flaw inadvertently while evaluating an AI AppSec Agent against another, recognized vulnerability, the authentication bypass labeled as CVE-2025-29927.
During the evaluation, the agent autonomously executed a proof-of-concept script that caused the demo application to crash, unveiling the zero-day vulnerability in the foundational Next.js framework.
Impacted Systems and Consequences
The vulnerability particularly affects self-hosted Next.js applications utilizing middleware. Applications hosted directly on Vercel’s infrastructure remain unaffected by this concern, Harmony stated.
Considering that around 55% of Next.js deployments are self-hosted (growing to 80% among large enterprises), the potential attack surface is considerable.
At present, no CVE identifier has been assigned, although a request has been submitted. Researchers have suggested a CVSS v3.1 severity score of 7.5 (High), citing the low entry barrier and absence of authentication necessary to carry out the assault.
Vercel resolved the vulnerability on October 13, 2025, introducing a default 10MB constraint on the internal buffer size. Administrators are encouraged to upgrade promptly or implement stringent proxy-level restrictions.
| Component | Status / Recommendation |
|---|---|
| Vulnerability Type | Unauthenticated Denial of Service (DoS) |
| Affected Versions | Next.js 15.x (<= 15.5.4), 14.x, 13.x, and older |
| Patched Versions | 15.5.5, 16.0.0, or newer |
| Primary Mitigation | Upgrade to a patched version without delay |
| Workaround | Set up a reverse proxy (e.g., Nginx) to impose client_max_body_size limits |
Researchers stress that conventional rate-limiting methods are ineffective against this type of attack since the crash transpires prior to middleware-based rate limiters processing the request. Likewise, Next.js’s intrinsic bodyParser.sizeLimit configuration fails to avert this specific memory depletion vector.
The finding highlights the necessity for defense-in-depth methodologies for self-hosted environments. While upgrading is the definitive solution, positioning a suitably configured reverse proxy in front of application servers remains an essential best practice for rejecting oversized requests before they reach the application layer.
“`