A newly discovered critical vulnerability in the Next.js framework allows attackers to crash self-hosted servers using a single HTTP request, requiring negligible resources to execute.
Discovered by researchers at Harmony Intelligence, the denial-of-service (DoS) flaw affects widespread versions of the framework, including the latest 15.x branch prior to the patch.
The vulnerability resides in the cloneBodyStream function within body-streams.ts, a component responsible for copying streamed requests into memory before passing them to middleware. Unlike typical resource exhaustion attacks that require flooding a network, this flaw exploits a lack of size limits on the internal memory buffer.
According to the disclosure, an attacker can send an infinite stream of data chunks to the server. While the attacker can release each chunk from their own memory immediately after sending, the Next.js server attempts to buffer the entire stream in RAM.
This asymmetry means a device with minimal resources described by researchers as a “smart toaster” can successfully crash a robust enterprise server by exhausting its memory.
Harmony Intelligence discovered the flaw accidentally while testing an AI AppSec Agent against a different, known vulnerability, the authentication bypass tracked as CVE-2025-29927.
During the test, the agent autonomously executed a proof-of-concept script that crashed the demo application, revealing the zero-day flaw in the underlying Next.js framework.
Affected Systems and Impact
The vulnerability specifically impacts self-hosted Next.js applications that utilize middleware. Applications hosted directly on Vercel’s infrastructure are unaffected by this issue, Harmony said.
Given that approximately 55% of Next.js deployments are self-hosted (rising to 80% among enterprises), the potential attack surface is significant.
Currently, no CVE identifier has been assigned, though a request has been lodged. Researchers have recommended a CVSS v3.1 severity score of 7.5 (High), citing the low barrier to entry and lack of authentication required to execute the attack.
Vercel patched the vulnerability on October 13, 2025, introducing a default 10MB limit on the internal buffer size. Administrators are urged to upgrade immediately or implement strict proxy-level constraints.
| Component | Status / Recommendation |
|---|---|
| Vulnerability Type | Unauthenticated Denial of Service (DoS) |
| Affected Versions | Next.js 15.x (<= 15.5.4), 14.x, 13.x, and older |
| Patched Versions | 15.5.5, 16.0.0, or newer |
| Primary Mitigation | Upgrade to a patched version immediately |
| Workaround | Configure a reverse proxy (e.g., Nginx) to enforce client_max_body_size limits |
Researchers emphasize that standard rate-limiting solutions are ineffective against this attack because the crash occurs before middleware-based rate limiters can process the request. Similarly, Next.js’s built-in bodyParser.sizeLimit configuration does not prevent this specific memory exhaustion vector.
The discovery underscores the importance of defense-in-depth strategies for self-hosted architectures. While upgrading is the definitive fix, placing a properly configured reverse proxy in front of application servers remains a critical best practice for rejecting oversized requests before they reach the application layer.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
