A newly found essential vulnerability within the Subsequent.js framework permits attackers to crash self-hosted servers utilizing a single HTTP request, requiring negligible sources to execute.
Found by researchers at Concord Intelligence, the denial-of-service (DoS) flaw impacts widespread variations of the framework, together with the newest 15.x department previous to the patch.
The vulnerability resides within the cloneBodyStream perform inside body-streams.ts, a element chargeable for copying streamed requests into reminiscence earlier than passing them to middleware. Not like typical useful resource exhaustion assaults that require flooding a community, this flaw exploits an absence of dimension limits on the inner reminiscence buffer.
In response to the disclosure, an attacker can ship an infinite stream of knowledge chunks to the server. Whereas the attacker can launch every chunk from their very own reminiscence instantly after sending, the Subsequent.js server makes an attempt to buffer the complete stream in RAM.
This asymmetry means a tool with minimal sources described by researchers as a “sensible toaster” can efficiently crash a sturdy enterprise server by exhausting its reminiscence.
Concord Intelligence found the flaw by chance whereas testing an AI AppSec Agent in opposition to a unique, recognized vulnerability, the authentication bypass tracked as CVE-2025-29927.
In the course of the check, the agent autonomously executed a proof-of-concept script that crashed the demo utility, revealing the zero-day flaw within the underlying Subsequent.js framework.
Affected Methods and Influence
The vulnerability particularly impacts self-hosted Subsequent.js functions that make the most of middleware. Purposes hosted instantly on Vercel’s infrastructure are unaffected by this concern, Concord stated.
Provided that roughly 55% of Subsequent.js deployments are self-hosted (rising to 80% amongst enterprises), the potential assault floor is important.
Presently, no CVE identifier has been assigned, although a request has been lodged. Researchers have advisable a CVSS v3.1 severity rating of seven.5 (Excessive), citing the low barrier to entry and lack of authentication required to execute the assault.
Vercel patched the vulnerability on October 13, 2025, introducing a default 10MB restrict on the inner buffer dimension. Directors are urged to improve instantly or implement strict proxy-level constraints.
ComponentStatus / RecommendationVulnerability TypeUnauthenticated Denial of Service (DoS)Affected VersionsNext.js 15.x (<= 15.5.4), 14.x, 13.x, and olderPatched Versions15.5.5, 16.0.0, or newerPrimary MitigationUpgrade to a patched model immediatelyWorkaroundConfigure a reverse proxy (e.g., Nginx) to implement client_max_body_size limits
Researchers emphasize that commonplace rate-limiting options are ineffective in opposition to this assault as a result of the crash happens earlier than middleware-based price limiters can course of the request. Equally, Subsequent.js’s built-in bodyParser.sizeLimit configuration doesn’t forestall this particular reminiscence exhaustion vector.
The invention underscores the significance of defense-in-depth methods for self-hosted architectures. Whereas upgrading is the definitive repair, putting a correctly configured reverse proxy in entrance of utility servers stays a essential greatest apply for rejecting outsized requests earlier than they attain the applying layer.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
