CVE-2025-59472

HIGH EPSS 28.2%
Published Jan 26, 20265mo ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Jan 26, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion: 1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory. 2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion. Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server. To be affected you must have an application running with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable. Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
28.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 64

VendorProductVersionRange
vercelnext.js*≥15.0.0  –  <15.6.0
vercelnext.js*≥16.0.0  –  <16.1.5
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any
vercelnext.js15.6.0any

References 1

  • github.com https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.