[PR #96] [MERGED] fix: enforce body size limit on App Router server actions #306

New issue

Closed

opened 2026-05-06 12:39:05 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:05 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/96
Author: @southpolesteve
Created: 2/26/2026
Status: ✅ Merged
Merged: 2/26/2026
Merged by: @southpolesteve

Base: main ← Head: fix/action-body-size-limit

📝 Commits (1)

c2332e1 fix: enforce body size limit on App Router server actions

📊 Changes

1 file changed (+90 additions, -3 deletions)

View changed files

📝 packages/vinext/src/server/app-dev-server.ts (+90 -3)

📄 Description

Summary

Adds a configurable MAX_ACTION_BODY_SIZE (default 1MB) check before consuming request bodies in server actions, matching the existing limit in Pages Router API handlers and the Next.js default for serverActions.bodySizeLimit.

Content-Length checked as a fast path, returns 413 immediately for oversized declared payloads
Stream-level enforcement via __readBodyWithLimit / __readFormDataWithLimit to handle chunked transfer where Content-Length may be absent
Multipart form data reconstructed with correct Content-Type for boundary parsing after stream consumption

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/96 **Author:** [@southpolesteve](https://github.com/southpolesteve) **Created:** 2/26/2026 **Status:** ✅ Merged **Merged:** 2/26/2026 **Merged by:** [@southpolesteve](https://github.com/southpolesteve) **Base:** `main` ← **Head:** `fix/action-body-size-limit` --- ### 📝 Commits (1) - [`c2332e1`](https://github.com/cloudflare/vinext/commit/c2332e15885fcafcdc8307d577ff3c11126cb1d7) fix: enforce body size limit on App Router server actions ### 📊 Changes **1 file changed** (+90 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/server/app-dev-server.ts` (+90 -3) </details> ### 📄 Description ## Summary Adds a configurable `MAX_ACTION_BODY_SIZE` (default 1MB) check before consuming request bodies in server actions, matching the existing limit in Pages Router API handlers and the Next.js default for `serverActions.bodySizeLimit`. - Content-Length checked as a fast path, returns 413 immediately for oversized declared payloads - Stream-level enforcement via `__readBodyWithLimit` / `__readFormDataWithLimit` to handle chunked transfer where Content-Length may be absent - Multipart form data reconstructed with correct Content-Type for boundary parsing after stream consumption --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>