以每次0.0001美分的价格关闭Next.js服务器
👤 Alex Browne 🗓️ 26 Nov 2025 ⏳5 min read
👤 Alex Browne 🗓️ 2025年11月26日 ⏳5分钟阅读
TL;DR
简而言之
We discovered an unauthenticated DoS vulnerability that crashes a self-hosted Next.js server with a single HTTP request and negligible resources. The attack can be prevented by a reverse proxy that limits request size; rate-limiting alone is not sufficient protection. The vulnerability was initially discovered by our AI AppSec Agent and then confirmed by our in-house team. It has been responsibly disclosed and patched.
我们发现了一个未经身份验证的DoS漏洞,该漏洞可以通过单个HTTP请求和微不足道的资源使自托管的Next.js服务器崩溃。可以通过限制请求大小的反向代理来防止该攻击;仅仅进行速率限制是不够的。该漏洞最初是由我们的 AI AppSec Agent 发现的,随后由我们的内部团队确认。该漏洞已被负责任地披露并修补。
Affected software:
受影响的软件:
- Self-hosted Next.js servers that use middleware (applications hosted on Vercel are not affected)
- 自托管的 Next.js 服务器使用中间件(托管在 Vercel 上的应用程序不受影响)
- Versions <=15.5.4, 14.x, 13.x, and older
- 版本 <=15.5.4, 14.x, 13.x 及更早版本
Mitigation:
缓解措施:
- Upgrade to Next.js version 15.5.5, 16.0.0, or newer
- 升级到 Next.js 版本 15.5.5、16.0.0 或更高版本
- Or use a reverse proxy configured to limit request size (e.g. nginx with the default
client_max_body_size) - 或使用配置为限制请求大小的反向代理(例如,默认
client_max_body_size的 nginx)
Discovery
发现
Funnily enough, we weren't explicitly looking for new vulnerabilities in Next.js at the time of discovery. Instead, we were testing if our AI AppSec Agent could independently find a different, known vulnerability — a recent auth bypass vulnerability in Next.js — without any prior knowledge or hints. To test this, we spun up a demo application running an affected version of Next.js.
有趣的是,在发现时我们并没有明确寻找 Next.js 中的新漏洞。相反,我们正在测试我们的 AI AppSec 代理是否能够独立发现一个不同的已知漏洞——最近在 Next.js 中的身份验证绕过漏洞——而没有任何先前的知识或提示。为了测试这一点,我们启动了一个演示应用程序,运行受影响版本的 Next.js。
For some context, our agent has access to source code and can interact directly with a live application. The agent operates within secure guardrails, but by design has autonomy to explore the entire attack surface. During the course of testing, we noticed the Next.js demo application had crashed. We didn't think ...