This bypass targets the WAF protection mechanism in applications using Next.js that handle multipart/form-data requests. The core of the bypass stems from how Next.js hands the raw request body stream to the Busboy library for parsing. Busboy's charset logic accepts UTF-16LE and legacy UCS-2 encoded payloads without proper sanitization or filtering. Attackers can exploit this by crafting multipart/form-data requests encoded in UTF-16LE, which bypasses detection rules in many WAFs expecting UTF-8 or ASCII input. Because Busboy processes the stream in this encoding, malicious payloads evade typical pattern matching or signature-based WAF filters, potentially leading to the execution of various attacks such as XSS, RCE, or others depending on the application context and payload. This vulnerability is identified as CVE-2025-55182 and shows the importance of validating character encodings and input normalization in WAF and backend services to prevent bypasses. Developers using Next.js with Busboy should consider updating or patching Busboy's charset handling or implementing additional input validation layers.
Original tweet: https://twitter.com/pyn3rd/status/1998416193498333301