This bypass exploits a vulnerability in how Next.js handles multipart/form-data requests by using Busboy for raw body stream parsing. The core issue lies in Busboy's charset logic, which accepts UTF-16LE and legacy UCS-2 encodings without proper sanitization. When a request is sent with multipart/form-data and the charset specified as UTF-16LE, this causes Next.js to mishandle the input, allowing the request to bypass Web Application Firewall (WAF) protections. This bypass affects universal security mechanisms since it manipulates content encoding to evade detection. The vulnerability identified is CVE-2025-55182, associated with React2Shell. In simple terms, this bypass tricks the WAF into letting malicious payloads pass through by hiding them behind less scrutinized character encoding formats, challenging the efficiency of the WAF. Developers and security engineers should update their handling of multipart requests and ensure proper charset validation to mitigate this risk.