[backport]: experimental.middlewareClientMaxBodySize (#84722)

Backports:
- #84539
- #84712

---------

Co-authored-by: JJ Kasper <[email protected]>

Author: ztanner

docs/01-app/03-api-reference/05-config/01-next-config-js/middlewareClientMaxBodySize.mdx

@@ -0,0 +1,118 @@
+---
+title: experimental.middlewareClientMaxBodySize
+description: Configure the maximum request body size when using middleware.
+version: experimental
+---
+
+When middleware is used, Next.js automatically clones the request body and buffers it in memory to enable multiple reads - both in middleware and the underlying route handler. To prevent excessive memory usage, this configuration option sets a size limit on the buffered body.
+
+By default, the maximum body size is **10MB**. If a request body exceeds this limit, the body will only be buffered up to the limit, and a warning will be logged indicating which route exceeded the limit.
+
+## Options
+
+### String format (recommended)
+
+Specify the size using a human-readable string format:
+
+```ts filename="next.config.ts" switcher
+import type { NextConfig } from 'next'
+
+const nextConfig: NextConfig = {
+  experimental: {
+    middlewareClientMaxBodySize: '1mb',
+  },
+}
+
+export default nextConfig
+```
+
+```js filename="next.config.js" switcher
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  experimental: {
+    middlewareClientMaxBodySize: '1mb',
+  },
+}
+
+module.exports = nextConfig
+```
+
+Supported units: `b`, `kb`, `mb`, `gb`
+
+### Number format
+
+Alternatively, specify the size in bytes as a number:
+
+```ts filename="next.config.ts" switcher
+import type { NextConfig } from 'next'
+
+const nextConfig: NextConfig = {
+  experimental: {
+    middlewareClientMaxBodySize: 1048576, // 1MB in bytes
+  },
+}
+
+export default nextConfig
+```
+
+```js filename="next.config.js" switcher
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  experimental: {
+    middlewareClientMaxBodySize: 1048576, // 1MB in bytes
+  },
+}
+
+module.exports = nextConfig
+```
+
+## Behavior
+
+When a request body exceeds the configured limit:
+
+1. Next.js will buffer only the first N bytes (up to the limit)
+2. A warning will be logged to the console indicating the route that exceeded the limit
+3. The request will continue processing normally, but only the partial body will be available
+4. The request will **not** fail or return an error to the client
+
+If your application needs to process the full request body, you should either:
+
+- Increase the `middlewareClientMaxBodySize` limit
+- Handle the partial body gracefully in your application logic
+
+## Example
+
+```ts filename="middleware.ts"
+import { NextRequest, NextResponse } from 'next/server'
+
+export async function middleware(request: NextRequest) {
+  // Next.js automatically buffers the body with the configured size limit
+  // You can read the body in middleware...
+  const body = await request.text()
+
+  // If the body exceeded the limit, only partial data will be available
+  console.log('Body size:', body.length)
+
+  return NextResponse.next()
+}
+```
+
+```ts filename="app/api/upload/route.ts"
+import { NextRequest, NextResponse } from 'next/server'
+
+export async function POST(request: NextRequest) {
+  // ...and the body is still available in your route handler
+  const body = await request.text()
+
+  console.log('Body in route handler:', body.length)
+
+  return NextResponse.json({ received: body.length })
+}
+```
+
+## Good to know
+
+- This setting only applies when middleware is used in your application
+- The default limit of 10MB is designed to balance memory usage and typical use cases
+- The limit applies per-request, not globally across all concurrent requests
+- For applications handling large file uploads, consider increasing the limit accordingly

docs/02-pages/04-api-reference/04-config/01-next-config-js/middlewareClientMaxBodySize.mdx

@@ -0,0 +1,7 @@
+---
+title: experimental.middlewareClientMaxBodySize
+description: Configure the maximum request body size when using middleware.
+source: app/api-reference/config/next-config-js/middlewareClientMaxBodySize
+---
+
+{/* DO NOT EDIT. The content of this doc is generated from the source above. To edit the content of this page, navigate to the source page in your editor. You can use the `<PagesOnly>Content</PagesOnly>` component to add content that is specific to the Pages Router. Any shared content should not be wrapped in a component. */}

packages/next/errors.json

@@ -780,5 +780,8 @@
   "779": "Route %s used \"searchParams\" inside \"use cache\". Accessing dynamic request data inside a cache scope is not supported. If you need some search params inside a cached function await \"searchParams\" outside of the cached function and pass only the required search params as arguments to the cached function. See more info here: https://nextjs.org/docs/messages/next-request-in-use-cache",
   "780": "Invariant: failed to find parent dynamic route for notFound route %s",
   "781": "No LRU node to remove",
-  "782": "Failed to find the root directory of the project. This is a bug in Next.js."
+  "782": "Failed to find the root directory of the project. This is a bug in Next.js.",
+  "783": "Client Max Body Size must be a valid number (bytes) or filesize format string (e.g., \"5mb\")",
+  "784": "Client Max Body Size must be larger than 0 bytes",
+  "785": "Request body exceeded %s"
 }

packages/next/src/server/body-streams.ts

@@ -1,6 +1,9 @@
 import type { IncomingMessage } from 'http'
 import type { Readable } from 'stream'
 import { PassThrough } from 'stream'
+import bytes from 'next/dist/compiled/bytes'
+
+const DEFAULT_BODY_CLONE_SIZE_LIMIT = 10 * 1024 * 1024 // 10MB
 
 export function requestToBodyStream(
   context: { ReadableStream: typeof ReadableStream },
@@ -38,7 +41,8 @@ export interface CloneableBody {
 }
 
 export function getCloneableBody<T extends IncomingMessage>(
-  readable: T
+  readable: T,
+  sizeLimit?: number
 ): CloneableBody {
   let buffered: Readable | null = null
 
@@ -76,13 +80,35 @@ export function getCloneableBody<T extends IncomingMessage>(
       const input = buffered ?? readable
       const p1 = new PassThrough()
       const p2 = new PassThrough()
+
+      let bytesRead = 0
+      const bodySizeLimit = sizeLimit ?? DEFAULT_BODY_CLONE_SIZE_LIMIT
+      let limitExceeded = false
+
       input.on('data', (chunk) => {
+        if (limitExceeded) return
+
+        bytesRead += chunk.length
+
+        if (bytesRead > bodySizeLimit) {
+          limitExceeded = true
+          const urlInfo = readable.url ? ` for ${readable.url}` : ''
+          console.warn(
+            `Request body exceeded ${bytes.format(bodySizeLimit)}${urlInfo}. Only the first ${bytes.format(bodySizeLimit)} will be available unless configured. See https://nextjs.org/docs/app/api-reference/config/next-config-js/middlewareClientMaxBodySize for more details.`
+          )
+          p1.push(null)
+          p2.push(null)
+          return
+        }
+
         p1.push(chunk)
         p2.push(chunk)
       })
       input.on('end', () => {
-        p1.push(null)
-        p2.push(null)
+        if (!limitExceeded) {
+          p1.push(null)
+          p2.push(null)
+        }
       })
       buffered = p2
       return p1

packages/next/src/server/config-schema.ts

@@ -404,6 +404,7 @@ export const configSchema: zod.ZodType<NextConfig> = z.lazy(() =>
         linkNoTouchStart: z.boolean().optional(),
         manualClientBasePath: z.boolean().optional(),
         middlewarePrefetch: z.enum(['strict', 'flexible']).optional(),
+        middlewareClientMaxBodySize: zSizeLimit.optional(),
         multiZoneDraftMode: z.boolean().optional(),
         cssChunking: z.union([z.boolean(), z.literal('strict')]).optional(),
         nextScriptWorkers: z.boolean().optional(),

packages/next/src/server/config-shared.ts

@@ -906,6 +906,12 @@ export interface ExperimentalConfig {
    * Enable accessing root params via the `next/root-params` module.
    */
   rootParams?: boolean
+
+  /**
+   * Body size limit for request bodies with middleware configured.
+   * Defaults to 10MB. Can be specified as a number (bytes) or string (e.g. '5mb').
+   */
+  middlewareClientMaxBodySize?: SizeLimit
 }
 
 export type ExportPathMap = {
@@ -1614,6 +1620,7 @@ export const defaultConfig = Object.freeze({
     devtoolSegmentExplorer: true,
     browserDebugInfoInTerminal: false,
     optimizeRouterScrolling: false,
+    middlewareClientMaxBodySize: 10_485_760, // 10MB
   },
   htmlLimitedBots: undefined,
   bundlePagesRouterDependencies: false,

packages/next/src/server/config.ts

@@ -718,6 +718,32 @@ function assignDefaults(
     }
   }
 
+  // Normalize & validate experimental.middlewareClientMaxBodySize
+  if (typeof result.experimental?.middlewareClientMaxBodySize !== 'undefined') {
+    const middlewareClientMaxBodySize =
+      result.experimental.middlewareClientMaxBodySize
+    let normalizedValue: number
+
+    if (typeof middlewareClientMaxBodySize === 'string') {
+      const bytes =
+        require('next/dist/compiled/bytes') as typeof import('next/dist/compiled/bytes')
+      normalizedValue = bytes.parse(middlewareClientMaxBodySize)
+    } else if (typeof middlewareClientMaxBodySize === 'number') {
+      normalizedValue = middlewareClientMaxBodySize
+    } else {
+      throw new Error(
+        'Client Max Body Size must be a valid number (bytes) or filesize format string (e.g., "5mb")'
+      )
+    }
+
+    if (isNaN(normalizedValue) || normalizedValue < 1) {
+      throw new Error('Client Max Body Size must be larger than 0 bytes')
+    }
+
+    // Store the normalized value as a number
+    result.experimental.middlewareClientMaxBodySize = normalizedValue
+  }
+
   warnOptionHasBeenMovedOutOfExperimental(
     result,
     'transpilePackages',

packages/next/src/server/lib/router-utils/resolve-routes.ts

@@ -165,7 +165,10 @@ export function getResolveRoutes(
     addRequestMeta(req, 'initProtocol', protocol)
 
     if (!isUpgradeReq) {
-      addRequestMeta(req, 'clonableBody', getCloneableBody(req))
+      const bodySizeLimit = config.experimental.middlewareClientMaxBodySize as
+        | number
+        | undefined
+      addRequestMeta(req, 'clonableBody', getCloneableBody(req, bodySizeLimit))
     }
 
     const maybeAddTrailingSlash = (pathname: string) => {

packages/next/src/server/next-server.ts

@@ -1925,7 +1925,13 @@ export default class NextNodeServer extends BaseServer<
     addRequestMeta(req, 'initProtocol', protocol)
 
     if (!isUpgradeReq) {
-      addRequestMeta(req, 'clonableBody', getCloneableBody(req.originalRequest))
+      const bodySizeLimit = this.nextConfig.experimental
+        ?.middlewareClientMaxBodySize as number | undefined
+      addRequestMeta(
+        req,
+        'clonableBody',
+        getCloneableBody(req.originalRequest, bodySizeLimit)
+      )
     }
   }
 

test/e2e/client-max-body-size/app/api/echo/route.ts

@@ -0,0 +1,15 @@
+import { NextRequest, NextResponse } from 'next/server'
+
+export async function POST(request: NextRequest) {
+  const body = await request.text()
+  return new NextResponse(
+    JSON.stringify({
+      message: 'Hello World',
+      bodySize: body.length,
+    }),
+    {
+      status: 200,
+      headers: { 'Content-Type': 'application/json' },
+    }
+  )
+}