This bypass involves a vulnerability in Next.js's handling of multipart/form-data requests. When such a request is processed, Next.js forwards the raw body stream to Busboy, a library used to parse multipart form data. Busboy's charset logic accepts UTF-16LE and legacy UCS-2 encodings without proper validation. Attackers can exploit this by sending payloads encoded in UTF-16LE or UCS-2 within multipart/form-data requests. This encoding bypasses some Web Application Firewall (WAF) rules that expect UTF-8 or similar encodings, allowing malicious payloads to pass through undetected. The vulnerability is tracked as CVE-2025-55182 and relates to React2Shell, possibly a new remote code execution (RCE) method in React-based applications using Next.js.

Details:
– Type of vulnerability: WAF bypass focusing on multipart/form-data requests and charset processing.
– Affected component: Next.js and Busboy library charset handling.
– Payload technique: Using UTF-16LE and UCS-2 encoded payloads to bypass WAF checks.
– Impact: Allows attackers to bypass security filters and potentially execute further attacks like Remote Code Execution or Cross-Site Scripting (XSS) if combined with other vulnerabilities.

Recommendation:
– Review and update WAF rules to properly decode and inspect multipart/form-data payloads with UTF-16LE and UCS-2 encoding.
– Monitor and patch the Next.js framework and Busboy library as updates become available.
– Implement deep payload inspection beyond simple charset assumptions to prevent such bypasses.

This example highlights the importance of handling multiple character encodings in security filters and understanding how underlying libraries process incoming requests.