[middleware]: add upper bound to cloneBodyStream

Author: ztanner

packages/next/errors.json

@@ -852,5 +852,8 @@
   "851": "Pass either `webpack` or `turbopack`, not both.",
   "852": "Only custom servers can pass `webpack`, `turbo`, or `turbopack`.",
   "853": "Turbopack build failed",
-  "854": "Expected a %s request header."
+  "854": "Expected a %s request header.",
+  "855": "Client Max Body Size must be a valid number (bytes) or filesize format string (e.g., \"5mb\")",
+  "856": "Client Max Body Size must be larger than 0 bytes",
+  "857": "Request body exceeded %s"
 }

packages/next/src/server/body-streams.ts

@@ -1,6 +1,9 @@
 import type { IncomingMessage } from 'http'
 import type { Readable } from 'stream'
 import { PassThrough } from 'stream'
+import bytes from 'next/dist/compiled/bytes'
+
+const DEFAULT_BODY_CLONE_SIZE_LIMIT = 10 * 1024 * 1024 // 10MB
 
 export function requestToBodyStream(
   context: { ReadableStream: typeof ReadableStream },
@@ -38,7 +41,8 @@ export interface CloneableBody {
 }
 
 export function getCloneableBody<T extends IncomingMessage>(
-  readable: T
+  readable: T,
+  sizeLimit?: number
 ): CloneableBody {
   let buffered: Readable | null = null
 
@@ -76,13 +80,38 @@ export function getCloneableBody<T extends IncomingMessage>(
       const input = buffered ?? readable
       const p1 = new PassThrough()
       const p2 = new PassThrough()
+
+      let bytesRead = 0
+      const bodySizeLimit = sizeLimit ?? DEFAULT_BODY_CLONE_SIZE_LIMIT
+      let limitExceeded = false
+
       input.on('data', (chunk) => {
+        if (limitExceeded) return
+
+        bytesRead += chunk.length
+
+        if (bytesRead > bodySizeLimit) {
+          limitExceeded = true
+          const error = new Error(
+            `Request body exceeded ${bytes.format(bodySizeLimit)}`
+          )
+          p1.destroy(error)
+          p2.destroy(error)
+          return
+        }
+
         p1.push(chunk)
         p2.push(chunk)
       })
       input.on('end', () => {
-        p1.push(null)
-        p2.push(null)
+        if (!limitExceeded) {
+          p1.push(null)
+          p2.push(null)
+        }
+      })
+      input.on('error', (err) => {
+        p1.destroy(err)
+        p2.destroy(err)
       })
       buffered = p2
       return p1

packages/next/src/server/config-shared.ts

@@ -790,6 +790,12 @@ export interface ExperimentalConfig {
    */
   isolatedDevBuild?: boolean
 
+  /**
+   * Body size limit for cloning request bodies in middleware.
+   * Defaults to 10MB. Can be specified as a number (bytes) or string (e.g. '5mb').
+   */
+  clientMaxBodySize?: SizeLimit
+
   /**
    * Enable the Model Context Protocol (MCP) server for AI-assisted development.
    * When enabled, Next.js will expose an MCP server at `/_next/mcp` that provides

packages/next/src/server/config.ts

@@ -672,6 +672,31 @@ function assignDefaultsAndValidate(
     }
   }
 
+  // Normalize & validate experimental.clientMaxBodySize
+  if (typeof result.experimental?.clientMaxBodySize !== 'undefined') {
+    const clientMaxBodySize = result.experimental.clientMaxBodySize
+    let normalizedValue: number
+
+    if (typeof clientMaxBodySize === 'string') {
+      const bytes =
+        require('next/dist/compiled/bytes') as typeof import('next/dist/compiled/bytes')
+      normalizedValue = bytes.parse(clientMaxBodySize)
+    } else if (typeof clientMaxBodySize === 'number') {
+      normalizedValue = clientMaxBodySize
+    } else {
+      throw new Error(
+        'Client Max Body Size must be a valid number (bytes) or filesize format string (e.g., "5mb")'
+      )
+    }
+
+    if (isNaN(normalizedValue) || normalizedValue < 1) {
+      throw new Error('Client Max Body Size must be larger than 0 bytes')
+    }
+
+    // Store the normalized value as a number
+    result.experimental.clientMaxBodySize = normalizedValue
+  }
+
   warnOptionHasBeenMovedOutOfExperimental(
     result,
     'transpilePackages',

packages/next/src/server/lib/router-utils/resolve-routes.ts

@@ -175,7 +175,10 @@ export function getResolveRoutes(
     addRequestMeta(req, 'initProtocol', protocol)
 
     if (!isUpgradeReq) {
-      addRequestMeta(req, 'clonableBody', getCloneableBody(req))
+      const bodySizeLimit = config.experimental.clientMaxBodySize as
+        | number
+        | undefined
+      addRequestMeta(req, 'clonableBody', getCloneableBody(req, bodySizeLimit))
     }
 
     const maybeAddTrailingSlash = (pathname: string) => {

packages/next/src/server/next-server.ts

@@ -1950,7 +1950,14 @@ export default class NextNodeServer extends BaseServer<
     addRequestMeta(req, 'initProtocol', protocol)
 
     if (!isUpgradeReq) {
-      addRequestMeta(req, 'clonableBody', getCloneableBody(req.originalRequest))
+      const bodySizeLimit = this.nextConfig.experimental?.clientMaxBodySize as
+        | number
+        | undefined
+      addRequestMeta(
+        req,
+        'clonableBody',
+        getCloneableBody(req.originalRequest, bodySizeLimit)
+      )
     }
   }
 

test/e2e/client-max-body-size/app/api/echo/route.ts

@@ -0,0 +1,5 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+export async function POST(request: NextRequest) {
+  return new NextResponse('Hello World', { status: 200 })
+}

test/e2e/client-max-body-size/index.test.ts

@@ -0,0 +1,210 @@
+import { nextTestSetup } from 'e2e-utils'
+import { fetchViaHTTP } from 'next-test-utils'
+
+describe('client-max-body-size', () => {
+  describe('default 10MB limit', () => {
+    const { next } = nextTestSetup({
+      files: __dirname,
+    })
+
+    it('should reject request body over 10MB by default', async () => {
+      const bodySize = 11 * 1024 * 1024 // 11MB
+      const body = 'x'.repeat(bodySize)
+
+      const res = await fetchViaHTTP(
+        next.url,
+        '/api/echo',
+        {},
+        {
+          body,
+          method: 'POST',
+        }
+      )
+
+      expect(res.status).toBe(400)
+      expect(next.cliOutput).toContain('Request body exceeded 10MB')
+    })
+
+    it('should accept request body at exactly 10MB', async () => {
+      const bodySize = 10 * 1024 * 1024 // 10MB
+      const body = 'y'.repeat(bodySize)
+
+      const res = await fetchViaHTTP(
+        next.url,
+        '/api/echo',
+        {},
+        {
+          body,
+          method: 'POST',
+        }
+      )
+
+      expect(res.status).toBe(200)
+      const responseBody = await res.text()
+      expect(responseBody).toBe('Hello World')
+    })
+
+    it('should accept request body under 10MB', async () => {
+      const bodySize = 5 * 1024 * 1024 // 5MB
+      const body = 'z'.repeat(bodySize)
+
+      const res = await fetchViaHTTP(
+        next.url,
+        '/api/echo',
+        {},
+        {
+          body,
+          method: 'POST',
+        }
+      )
+
+      expect(res.status).toBe(200)
+      const responseBody = await res.text()
+      expect(responseBody).toBe('Hello World')
+    })
+  })
+
+  describe('custom limit with string format', () => {
+    const { next } = nextTestSetup({
+      files: __dirname,
+      nextConfig: {
+        experimental: {
+          clientMaxBodySize: '5mb',
+        },
+      },
+    })
+
+    it('should reject request body over custom 5MB limit', async () => {
+      const bodySize = 6 * 1024 * 1024 // 6MB
+      const body = 'a'.repeat(bodySize)
+
+      const res = await fetchViaHTTP(
+        next.url,
+        '/api/echo',
+        {},
+        {
+          body,
+          method: 'POST',
+        }
+      )
+
+      expect(res.status).toBe(400)
+      expect(next.cliOutput).toContain('Request body exceeded 5MB')
+    })
+
+    it('should accept request body under custom 5MB limit', async () => {
+      const bodySize = 4 * 1024 * 1024 // 4MB
+      const body = 'b'.repeat(bodySize)
+
+      const res = await fetchViaHTTP(
+        next.url,
+        '/api/echo',
+        {},
+        {
+          body,
+          method: 'POST',
+        }
+      )
+
+      expect(res.status).toBe(200)
+      const responseBody = await res.text()
+      expect(responseBody).toBe('Hello World')
+    })
+  })
+
+  describe('custom limit with number format', () => {
+    const { next } = nextTestSetup({
+      files: __dirname,
+      nextConfig: {
+        experimental: {
+          clientMaxBodySize: 2 * 1024 * 1024, // 2MB in bytes
+        },
+      },
+    })
+
+    it('should reject request body over custom 2MB limit', async () => {
+      const bodySize = 3 * 1024 * 1024 // 3MB
+      const body = 'c'.repeat(bodySize)
+
+      const res = await fetchViaHTTP(
+        next.url,
+        '/api/echo',
+        {},
+        {
+          body,
+          method: 'POST',
+        }
+      )
+
+      expect(res.status).toBe(400)
+      expect(next.cliOutput).toContain('Request body exceeded 2MB')
+    })
+
+    it('should accept request body under custom 2MB limit', async () => {
+      const bodySize = 1 * 1024 * 1024 // 1MB
+      const body = 'd'.repeat(bodySize)
+
+      const res = await fetchViaHTTP(
+        next.url,
+        '/api/echo',
+        {},
+        {
+          body,
+          method: 'POST',
+        }
+      )
+
+      expect(res.status).toBe(200)
+      const responseBody = await res.text()
+      expect(responseBody).toBe('Hello World')
+    })
+  })
+
+  describe('large custom limit', () => {
+    const { next } = nextTestSetup({
+      files: __dirname,
+      nextConfig: {
+        experimental: {
+          clientMaxBodySize: '50mb',
+        },
+      },
+    })
+
+    it('should accept request body up to 50MB with custom limit', async () => {
+      const bodySize = 20 * 1024 * 1024 // 20MB
+      const body = 'e'.repeat(bodySize)
+
+      const res = await fetchViaHTTP(
+        next.url,
+        '/api/echo',
+        {},
+        {
+          body,
+          method: 'POST',
+        }
+      )
+
+      expect(res.status).toBe(200)
+      const responseBody = await res.text()
+      expect(responseBody).toBe('Hello World')
+    })
+
+    it('should reject request body over custom 50MB limit', async () => {
+      const bodySize = 51 * 1024 * 1024 // 51MB
+      const body = 'f'.repeat(bodySize)
+
+      const res = await fetchViaHTTP(
+        next.url,
+        '/api/echo',
+        {},
+        {
+          body,
+          method: 'POST',
+        }
+      )
+
+      expect(res.status).toBe(400)
+      expect(next.cliOutput).toContain('Request body exceeded 50MB')
+    })
+  })
+})

test/e2e/client-max-body-size/middleware.ts

@@ -0,0 +1,9 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+export async function middleware(request: NextRequest) {
+  return NextResponse.next()
+}
+
+export const config = {
+  matcher: '/api/:path*',
+}

test/e2e/middleware-fetches-with-body/index.test.ts

@@ -37,6 +37,23 @@ describe('Middleware fetches with body', () => {
             res.json({ rawBody, body: req.body })
           }
         `,
+        'app/api/test-clone-limit/route.js': `
+          import { NextResponse } from 'next/server'
+
+          export async function POST(request) {
+            try {
+              const buffer = await request.arrayBuffer()
+              return NextResponse.json({
+                success: true,
+                bodySize: buffer.byteLength
+              })
+            } catch (err) {
+              return NextResponse.json({
+                error: err.message
+              }, { status: 500 })
+            }
+          }
+        `,
         'middleware.js': `
           import { NextResponse } from 'next/server';