November 27, 2025
A newly discovered critical vulnerability in the Next.js framework allows attackers to crash self-hosted servers using a single HTTP request, requiring negligible resources to execute.
Discovered by researchers at Harmony Intelligence, the denial-of-service (DoS) flaw affects widespread versions of the framework, including the latest 15.x branch prior to the patch.
The vulnerability resides in the cloneBodyStream function within body-streams.ts, a component responsible for copying streamed requests into memory before passing them to middleware. Unlike typical resource exhaustion attacks that require flooding a network, this flaw exploits a lack of size limits on the internal memory buffer.
According to the disclosure, an attacker can send an infinite stream of data chunks to the server. While the attacker can release each chunk from their own memory immediately after sending, the Next.js server attempts to buffer the entire stream in RAM.
This asymmetry means a device with minimal resources described by researchers as a “smart toaster” can successfully crash a robust enterprise server by exhausting its memory.
Harmony Intelligence discovered the flaw accidentally while testing an AI AppSec Agent against a different, known vulnerability, the authentication bypass tracked as CVE-2025-29927.
During the test, the agent autonomously executed a proof-of-concept script that crashed the demo application, revealing the zero-day flaw in the underlying Next.js framework.
