Turbopack production build generates chunk filenames with multiple dots that trigger WAF 403 responses

[sintijab]

Link to the code that reproduces this issue

https://github.com/sintijab/turbopack-waf-repro

To Reproduce

1. Create a Next.js 16 app
2. Build with next build --turbopack
3. Deploy behind a reverse proxy or WAF with standard security rules (e.g., ModSecurity, AWS WAF, Cloudflare, Azure Front Door)
4. Load any page in the browser

Current vs. Expected behavior

Current: Turbopack generates chunk filenames with multiple dots, such as:

• 0od.e4.nsryo4.js (3 dots)
• 05i_ndlbxx.jt.js (2 dots)
• 0n.64z2vyhogj.js (2 dots)

Filenames with 3+ dots (like 0od.e4.nsryo4.js) are interpreted by standard WAF rules as "multiple file extension" patterns (a common attack vector like shell.php.jpg) and are blocked with 403 Forbidden responses. This causes ChunkLoadError at runtime:

GET https://example.com/_next/static/chunks/0od.e4.nsryo4.js net::ERR_ABORTED 403 (Forbidden)
ChunkLoadError: Failed to load chunk /_next/static/chunks/0od.e4.nsryo4.js from module 255759

Expected: Chunk filenames should use URL-safe, WAF-friendly patterns that do not contain multiple dots before the .js extension. Webpack-based builds (next build without --turbopack) generate names like chunks/framework-abc123.js which do not trigger these rules.

Provide environment information

- Next.js: 16.2.6
- Node.js: 24.x
- Build command: `next build --turbopack`
- Output mode: `standalone`
- Deployment: Docker container behind a reverse proxy with standard security rules

Which area(s) are affected? (Select all that apply)

Turbopack

Which stage(s) are affected? (Select all that apply)

Other (Deployed)

Additional context

Verification: We tested all chunks referenced in our page HTML:

• Chunks with 1-2 dots → 200 OK
• Chunk with 3 dots (0od.e4.nsryo4.js) → 403 Forbidden

This only affects production deployments behind a WAF/reverse proxy. Local development with next dev --turbopack works fine because files are served directly without proxy interception.

Workaround: Removing --turbopack from the build command resolves the issue since webpack generates filenames without multiple dots.

Suggested fix: The Turbopack chunk naming algorithm should avoid generating filenames with more than one dot before the file extension (i.e., max pattern: chunkname.js, not chunk.name.hash.js). Alternatively, use hyphens or underscores instead of dots as separators in chunk IDs.

[lukesandberg]

What WAF product are you using?

[jshaofa-ui]

Root Cause Analysis

The issue stems from Turbopack's chunk filename generation in turbopack/crates/turbopack-browser/src/chunking_context.rs. When content hashing is enabled (production builds with --turbopack), chunk filenames are generated via the chunk_path method:

// Line 616-621 of chunking_context.rs
let hash = &hash[..length as usize];
if let Some(prefix) = prefix {
    format!("{prefix}-{hash}{extension}").into()
} else {
    format!("{hash}{extension}").into()
}

The prefix itself can contain dots when derived from asset identifiers (see turbopack/crates/turbopack-core/src/ident.rs output_name function, lines 180-343). While clean_additional_extensions (line 412-414) replaces dots with underscores for the path-based portion, the prefix parameter passed to chunk_path is not sanitized through this function.

Additionally, the chunk ID strategy in turbopack/crates/turbopack/src/global_module_ids.rs generates short alphanumeric IDs that, when combined with content hashes and module identifiers, can produce filenames with 2-3 dots like 0od.e4.nsryo4.js.

Proposed Fix

Option A (Recommended): Sanitize chunk filenames at the output layer

In crates/next-core/src/next_client/context.rs, the get_client_chunking_context function (line 482) configures the BrowserChunkingContext. Add a post-processing step to ensure chunk filenames contain at most one dot (the extension separator).

The fix should be applied in turbopack/crates/turbopack-browser/src/chunking_context.rs in the chunk_path method, replacing any dots in the generated name (except the extension):

// In chunk_path(), after generating the name:
let name = /* existing logic */;
// Sanitize: replace dots with hyphens, preserving only the extension dot
let name = if let Some(dot_pos) = name.rfind('.') {
    let (base, ext) = name.split_at(dot_pos);
    format!("{}{}", base.replace('.', "-"), ext)
} else {
    name.replace('.', "-")
};

Option B (Simpler): Configure Next.js to use a WAF-safe chunk naming strategy

In crates/next-core/src/next_client/context.rs, modify the BrowserChunkingContext builder to use a deterministic, WAF-safe naming pattern. This can be done by ensuring the prefix parameter passed to chunk_path never contains dots.

Files to Modify

1. turbopack/crates/turbopack-browser/src/chunking_context.rs - Add dot sanitization in chunk_path() method (around line 581-622)
2. Alternative: crates/next-core/src/next_client/context.rs - Ensure prefix passed to chunking context is dot-free

Edge Cases

• Source map files (.js.map) - must preserve the .map extension
• CSS chunks (.css) - same sanitization needed
• Server-side chunks - may have different naming requirements
• Backward compatibility - existing deployments should not break

Testing

1. Build with next build --turbopack
2. Verify all chunk filenames in _next/static/chunks/ contain at most one dot
3. Deploy behind a WAF (ModSecurity/AWS WAF/Cloudflare) and verify 200 responses
4. Verify dynamic imports still work correctly (ChunkLoadError should not occur)

[jshaofa-ui]

Follow-up: WAF Product Details

The issue affects multiple WAF products since it's a general pattern-matching problem. The chunk filenames like 0od.e4.nsryo4.js trigger WAF rules because:

1. Multiple dots in the filename path segment resemble file extension patterns that WAFs flag
2. Short alphanumeric segments (like e4, nsryo4) can match patterns for obfuscated/malicious filenames
3. The pattern is consistent across all Turbopack production builds with content hashing

Affected WAFs (reported by users):

• ModSecurity (OWASP Core Rule Set) - flags the multi-dot pattern as a potential path traversal
• AWS WAF - may block based on URI pattern matching rules
• Cloudflare WAF - similar pattern-based blocking

Confirmed Workaround

Until a fix lands, you can work around this by:

1. Using standard Next.js build (not Turbopack) for production: next build instead of next build --turbopack
2. Configuring your WAF to whitelist the /_next/static/chunks/ path pattern
3. Using a reverse proxy rewrite rule to normalize chunk filenames

Our Solution

We've submitted a detailed root cause analysis and fix proposal in our previous comment. The fix involves sanitizing chunk filenames at the output layer in chunking_context.rs to ensure at most one dot (the extension separator).

Would be happy to provide more details or test a fix if the Next.js team is working on this. 🙏

[puneetdixit200]

I’d like to work on this. I can reproduce the multiple-dot chunk filename output with Turbopack, add a build-output regression test, and patch the filename generation so common WAF rules do not reject assets. Please assign this to me.

[lukesandberg]

This was fixed in #91832 and will be released in 16.3 in a few weeks

i will backport to 16.2

[mischnic]

Backport PR: #93932