My startup — cybersecurity intelligence & big data with the world's largest fraud database
← Back to Blog
2 min read
April 13, 2026

Denial of Service in Next.js Server Actions via Malformed Origin Header

A vulnerability in Next.js Server Actions allows attackers to trigger unhandled exceptions using malformed Origin headers, leading to Denial of Service.

Denial of Service in Next.js Server Actions via Malformed Origin Header
CybersecurityReports

Executive Summary

While analyzing the internal implementation of Server Actions in Next.js, I identified a Denial of Service (DoS) vulnerability caused by improper handling of the Origin header.

By sending a malformed Origin, an attacker can trigger an unhandled exception that results in repeated HTTP 500 responses, affecting the availability of any self-hosted application using Server Actions.

Technical Details

Affected Technology

  • Framework: Next.js (Server Actions)
  • Affected Versions: <= 16.2.3 (including v15.x and v14.x)
  • Deployment Type: Self-hosted (next start, standalone)
  • Not affected: Vercel Edge (Origin normalized upstream)

Vulnerability Classification

  • Severity: Medium (DoS)
  • Type: Unhandled Exception → Denial of Service
  • CWE:
    • CWE-248 (Uncaught Exception)
    • CWE-20 (Improper Input Validation)
  • CVE: Not assigned

Root Cause

During code review, I noticed that the Origin header is parsed using:

TypeScript
new URL(originHeader).host

When originHeader is not a valid absolute URL (e.g. http://, null, or malformed values), this throws:

Code
TypeError: Invalid URL

This exception is not caught, propagating through the rendering pipeline and returning a 500 Internal Server Error.

Attack Mechanism

An attacker does not need authentication or knowledge of internal application logic.

Exploitation steps:

  1. Send a POST request to any route

  2. Include:

    • Content-Type: multipart/form-data
    • Malformed Origin header
  3. Trigger Server Actions execution path

  4. Cause unhandled exception → HTTP 500

Example exploit

Code
curl -X POST https://target-app.com/ \
  -H "Content-Type: multipart/form-data; boundary=----PoC" \
  -H "Origin: http://" \
  --data-binary $'------PoC--\r\n'

Alternative payloads

  • Origin: null
  • Origin: ftp://
  • Origin: invalid-url

Impact

  • Continuous HTTP 500 responses
  • Service instability under repeated requests
  • Log flooding with stack traces
  • No authentication required

Although this does not lead to data exposure or code execution, it allows attackers to degrade service availability.

Proof of Concept

Full PoC and reproduction steps are available here:

https://github.com/FJRG2007/nextjs-sa-dos-poc-20260413

Security Implications

This issue highlights a critical pattern:

  • Trusting user-controlled headers
  • Lack of defensive parsing
  • Missing exception handling in critical paths

In high-traffic environments, even low-cost requests can lead to effective service disruption.

For developers

  1. Wrap new URL() in a try-catch block
  2. Reject malformed origins with 400 responses
  3. Avoid returning undefined or null in validation paths (prevents CSRF bypass)
  4. Implement strict origin validation logic

Secure fix approach

TypeScript
function parseOriginHost(originHeader: string): string {
  if (originHeader === "null") return "null";

  try {
    return new URL(originHeader).host;
  } catch {
    return "\x00INVALID_ORIGIN";
  }
};

Conclusion

Even small input validation issues can cascade into availability problems in modern frameworks. This vulnerability demonstrates how improper handling of standard headers like Origin can lead to application-wide failures.

Proper validation and error handling are essential, especially in security-sensitive flows such as Server Actions.

Author

Check my portfolio

Learn more about my work and projects!

Posts in:
CybersecurityReports
Version 2.4.7 — All rights reserved © Creative Commons Attribution - All Rights Reserves: CC BY-NC-ND 4.0 | TPEOficial LLC.