Automated security scanners flag SQL injection on /_next/static chunk URLs – confirmation of expected behavior

[georgepolygon]

Next.js version

16.0.7

Description

During a security assessment, automated tools (Burp Suite) flagged potential SQL injection findings against URLs under /_next/static/chunks/*.js and similar static asset paths generated by Next.js.

These endpoints serve prebuilt static JavaScript assets and do not involve server-side execution, request processing, or database interaction. The findings are based on payloads injected into the URL path of GET requests and appear to be false positives originating from static file delivery behavior.

Expected behavior

Static assets under /_next/static are served as immutable files and should not process user input or interact with backend services or databases.

Clarification requested

Could you please confirm:

• Whether this behavior is expected and considered benign by the Next.js framework
• Whether this is a known characteristic or documented limitation when static chunk URLs are scanned by automated security tools
• If there are any recommended mitigations or best practices for handling scanner false positives related to static assets

This confirmation is required for compliance and audit documentation.

Reproduction

No functional exploitation is possible. Findings are based solely on automated scanning of static asset URLs.

[icyJoseph]

Assets in the _next/static/chunks/*.js folder are not invoked by user input at runtime. They are referenced by the application’s HTML entry points and fetched by the browser exactly as built. Modifying the URL manually (including adding query parameters or payloads) does not change how the asset is served, interpreted, or executed by the browser.

In fact, these are designed to be served from a CDN, totally decoupled from any server running business logic. This is a false positive, and you may skip audit checks for SQL injection on these assets.