vercel
HTTP 500 on mailformed request body for server action (JSON parse SyntaxError)
Link to the code that reproduces this issue
https://github.com/artemzhdev/next-js-server-action-500
To Reproduce
- Run your application and trigger any server action from the client (browser)
- Find POST request related to the server action in the NETWORK tab and copy it as curl
- Slightly modify it to make the request body to contain any mailformed JSON (like "["). You can just replace " --data-raw '[]'" with " --data-raw '[' -v" at the end.
- Try to run this request using terminal
Current vs. Expected behavior
Current behavior: HTTP 500. Expected behavior: HTTP 400 (Bad Request)
Provide environment information
NextJS version: 15.3.6 & 16.0.1.
Which area(s) are affected? (Select all that apply)
Server Actions
Which stage(s) are affected? (Select all that apply)
next start (local)
Additional context
My site is being scanned by some vulnerability scanner. It's not an issue. But I use monitoring to track all 5xx errors. Such responses are tracked as high priority bugs. Unfortunately, this happens for bad requests produced by vulnerability scanners. My server action code is not even called. And I cannot find a way to catch it in the middleware.
Can you post more of the error stack you got? If possible of course. Thanks in advance.
I had a similar issue. A brand-new app built with the latest versions of Next.js and React (including all vulnerability patches) is still returning 500 errors, along with the well-known E {"digest" response body.
Some security consultants claim that the app is still vulnerable because this specific combination of a 500 error and that response body is considered an indicator of the issue. However, when running fix-react2shell-next, it reports that no vulnerable packages were found.
CURL:
curl -i 'https://yourwebsite.com/' \
-X POST \
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0' \
-H 'Next-Action: x' \
-H 'X-Nextjs-Request-Id: b5dce965' \
-H 'Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%2Cnull%2Cnull%5D%7D%2Cnull%2Cnull%2Ctrue%5D' \
-H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad' \
-H 'X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9' \
--data-binary $'------WebKitFormBoundaryx8jO2oVc6SWP3Sad\nContent-Disposition: form-data; name="1"\n\n{}\n------WebKitFormBoundaryx8jO2oVc6SWP3Sad\nContent-Disposition: form-data; name="0"\n\n["$1:a:a"]\n------WebKitFormBoundaryx8jO2oVc6SWP3Sad--\n'
Package.json:
{
"name": "my-app",
"private": true,
"scripts": {
"dev": "next dev",
"build": "next build",
"start": "next start"
},
"dependencies": {
"next": "16.0.7",
"react": "19.2.1"
},
"devDependencies": {
"@types/node": "22.7.4",
"@types/react": "19.0.2",
"typescript": "5.6.3"
}
}
We are experiencing the same or a similar issue on 14.2.20. Although it doesn't appear to succeed, the requests throw 500 errors and are very noisy. Any path responds to the POST, not just server actions. fix-react2shell-next reports no vulnerability. The scanning started around the time that CVE-2025-55182 was announced
Can you post more of the error stack you got? If possible of course. Thanks in advance.
Yes, sure. But it's quite small.
⨯ SyntaxError: Expected ',' or '}' after property value in JSON at position 205
at JSON.parse (<anonymous>) {
digest: '4006648716'
}
Also I have a lot of this (but it's not an issue):
[Error: Failed to find Server Action "x". This request might be from an older or newer deployment.
Read more: https://nextjs.org/docs/messages/failed-to-find-server-action]
Thanks. Yes this is likely someone trying to exploit that CVE. And https://github.com/vercel/next.js/issues/73220#issuecomment-3614485330 is likely the same issue, but in your case, you've tested it with the text/x-component, rather than multipart/form-data -