Next.js Patches 13 CVEs: Demos of Bypasses and DoS
Better Stackgo watch the original →
the gist
Next.js fixed 13 CVEs (6 high severity); video recreates middleware bypass via _next/data.json, React Flight DoS spiking requests from 0.02s to 6s, SSRF with curl upgrade header, cache poisoning via RSC query string, and XSS in before-interactive scripts.
Vulnerability Recreations
The video demonstrates five Next.js CVEs from the recent security release. A middleware bypass (CVE severity 7.5/10) in pages router with i18n enabled exposes server-side props via /_next/data/<buildId>/<locale>/secret.json; the base /secret lacks matcher protection while /en/secret and /fr/secret variants are secured. A denial-of-service attack (severity 7.5/10) uses React Flight payloads with 199,999 junk keys and 1,000 $k<N> pointers referencing N_underscore prefixes, forcing 200 million string comparisons and slowing server actions from 0.02 seconds to 6 seconds; TanStack Start avoids this by not using React Server DOM.
Server-side request forgery (highest severity 8.6/10, self-hosted only) proxies internal services via curl -H "Upgrade: websocket" --request-target http://localhost:<port>/; Next.js resolves the request-target path without full proxy checks. Cache poisoning (severity 5.4/10) stores React Server Component payload (triggered by RSC: 1 header + query string) as HTML due to .rsc? not matching .rsc check, serving gibberish on cache hit. Cross-site scripting (severity 6.1/10) in before-interactive scripts with untrusted searchParams input uses "><script>alert('pwned')</script><!-- to escape dangerouslySetInnerHTML from JSON.stringify(props), injecting executable JS.
Fixes Deployed
Upgrading Next.js resolves all issues; impacted versions listed in Vercel changelog. Middleware bypass adds base locale to i18n matcher. DoS fix switches to cursor-based key scanning (N + K operations vs. K * N; 201,000 total). SSRF adds resolveRoutes guards for finished: false or HTTP status codes (200/404) blocking proxy. Cache poisoning ignores query strings in .rsc detection. XSS properly escapes script attributes.
Author's Perspective
The creator expresses frustration with repeated server component CVEs (third video this year), questions if they were a mistake, and prefers TanStack Start, Astro, and Cloudflare migrations over Vercel/Next.js. Notes middleware should not protect sensitive data alone, per Next.js guidance.