next.js
45dba919 - Add maximum size limit for postponed body parsing (#88175)

Commit
53 days ago
Add maximum size limit for postponed body parsing (#88175) ### What? Adds a configurable `experimental.maxPostponedStateSize` limit for PPR postponed state body parsing to prevent OOM/DoS attacks. ### Why? The postponed state body was read entirely without size limits, creating a potential denial-of-service vector through unbounded memory allocation. ### How? Enforces a 10 MB default limit (configurable via next.config.js) with byte counting during body parsing. Returns HTTP 413 when exceeded with a helpful error message directing users to increase the limit if needed. <!-- Closes NEXT- --> <!-- Fixes # -->
Author
Parents
Loading