This WAF bypass involves the handling of multipart/form-data requests in Next.js, specifically when using the Busboy library. The vulnerability arises from Busboy's charset logic which accepts UTF-16LE and legacy UCS-2 encodings without proper sanitation. When a request is sent with these encodings, Next.js passes the raw body stream to Busboy, allowing the payload to bypass the Web Application Firewall (WAF) protections. This bypass can affect many types of vulnerabilities since the payload can be crafted in different encodings that the WAF might not decode correctly, potentially leading to successful execution of attacks that would otherwise be blocked. The bypass highlights the importance of careful charset handling in WAF implementations and server-side libraries.
For more insights, check out the original tweet here: https://twitter.com/pyn3rd/status/1998415296034660497