A vulnerability in Next.js Server Actions allows attackers to trigger unhandled exceptions using malformed Origin headers, leading to Denial of Service.
While analyzing the internal implementation of Server Actions in Next.js, I identified a Denial of Service (DoS) vulnerability caused by improper handling of the Origin header.
By sending a malformed Origin, an attacker can trigger an unhandled exception that results in repeated HTTP 500 responses, affecting the availability of any self-hosted application using Server Actions.
next start, standalone)During code review, I noticed that the Origin header is parsed using:
new URL(originHeader).host
When originHeader is not a valid absolute URL (e.g. http://, null, or malformed values), this throws:
TypeError: Invalid URL
This exception is not caught, propagating through the rendering pipeline and returning a 500 Internal Server Error.
An attacker does not need authentication or knowledge of internal application logic.
Send a POST request to any route
Include:
Content-Type: multipart/form-dataOrigin headerTrigger Server Actions execution path
Cause unhandled exception → HTTP 500
curl -X POST https://target-app.com/ \
-H "Content-Type: multipart/form-data; boundary=----PoC" \
-H "Origin: http://" \
--data-binary $'------PoC--\r\n'
Origin: nullOrigin: ftp://Origin: invalid-urlAlthough this does not lead to data exposure or code execution, it allows attackers to degrade service availability.
Full PoC and reproduction steps are available here:
https://github.com/FJRG2007/nextjs-sa-dos-poc-20260413
This issue highlights a critical pattern:
In high-traffic environments, even low-cost requests can lead to effective service disruption.
new URL() in a try-catch blockundefined or null in validation paths (prevents CSRF bypass)function parseOriginHost(originHeader: string): string {
if (originHeader === "null") return "null";
try {
return new URL(originHeader).host;
} catch {
return "\x00INVALID_ORIGIN";
}
};
Even small input validation issues can cascade into availability problems in modern frameworks. This vulnerability demonstrates how improper handling of standard headers like Origin can lead to application-wide failures.
Proper validation and error handling are essential, especially in security-sensitive flows such as Server Actions.
Learn more about my work and projects!