The core vulnerability: Implicit trust in Server Actions

Because Server Actions look like standard JavaScript functions inside your React files, developers often skip basic security checks. They write code assuming that if a button is disabled in the user interface, the action cannot be triggered.

This is a major flaw. During an audit, we capture the Action ID from the client-side JavaScript bundle. We can then craft raw HTTP POST requests to call the action directly. If the action does not validate user sessions internally, we can trigger operations without logging in.

Pentest finding

Server Action ID harvesting leads to BOLA and profile takeover

During an audit of a customer portal built on Next.js, we found a Server Action called updateUserEmail. By intercepting the request and swapping the target user ID parameter, we changed the email address of another customer account, bypassing all login screens and taking over the account.

Auditing parameter inputs with schemas

When users submit forms, Next.js handles serialization. If your Server Action accepts arguments directly and passes them to database queries without validation, you are vulnerable to type injection and SQL injection.

Always validate the input schema inside the server function. Use libraries like Zod or Yup to check type structures, and always fetch the user ID from secure server-side session cookies rather than trusting client-passed parameters.

// SECURE: Validating user session and payload in Next.js Server Action
"use server";

import { getSession } from "@/lib/session";
import { z } from "zod";

const profileSchema = z.object({
  displayName: z.string().min(3).max(50)
});

export async function updateProfile(data) {
  const session = await getSession();
  if (!session?.userId) {
    throw new Error("Access Denied");
  }

  const parsed = profileSchema.parse(data);

  // Bind to session user ID, NOT client arguments
  return await db.user.update({
    where: { id: session.userId },
    data: { name: parsed.displayName }
  });
}

Next.js Security Checklist

If your application uses Next.js Server Actions, verify these items:

  1. Check authorization inside actions: Do not rely on middleware or UI visibility. Every action must check user sessions.
  2. Use strict Zod schemas: Validate all incoming payloads to prevent type manipulation.
  3. Sanitize HTML outputs: If the action returns user-submitted text that is rendered in React, prevent cross-site scripting (XSS) by using sanitizers.

Let Simpa Labs audit your Next.js application

Modern React stacks are highly dynamic. We will review your Server Actions, test your API routes, and audit your database connections.

Book a Next.js Pentest