CVE-2025-59472
Denial of Service in Next.js Partial Prerendering via Memory Exhaustion
Publication date: 2026-01-26
Last updated on: 2026-02-24
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | From 16.0.0 (inc) to 16.1.5 (exc) |
| vercel | next.js | From 15.0.0 (inc) to 15.6.0 (exc) |
| vercel | next.js | 15.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for the presence of unauthenticated POST requests to the Partial Prerendering (PPR) resume endpoint that include the header `Next-Resume: 1`. Additionally, detection can involve checking server logs for fatal V8 out-of-memory errors such as `FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`. To identify if your system is vulnerable, verify if your Next.js application is running with `experimental.ppr: true` or `cacheComponents: true` and the environment variable `NEXT_PRIVATE_MINIMAL_MODE=1` is set. Specific commands to detect this might include using `curl` to simulate such POST requests or using log search commands like `grep` to find relevant error messages in logs. For example, you can run: `grep 'FATAL ERROR: Reached heap limit' /path/to/your/logs` to find crash logs, or use `curl -X POST -H 'Next-Resume: 1' http://yourserver/ppr-resume-endpoint` to test the endpoint behavior.
Can you explain this vulnerability to me?
This vulnerability is a denial of service issue in Next.js versions with Partial Prerendering (PPR) enabled in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with a specific header and processes attacker-controlled data. There are two main problems: first, the server buffers the entire POST request body into memory without size limits, allowing attackers to send very large payloads that exhaust memory. Second, the server decompresses cached resume data without limiting the decompressed size, so a small compressed payload can expand massively (a zipbomb), also exhausting memory. Both lead to the Node.js process crashing due to out-of-memory errors.
How can this vulnerability impact me? :
The vulnerability can cause your Next.js server process to crash due to memory exhaustion, resulting in denial of service. Attackers can send specially crafted requests that consume excessive memory, causing fatal errors and terminating the Node.js process. This leads to application unavailability and potential disruption of services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should strongly consider upgrading your Next.js application to version 15.6.0-canary.61 or 16.1.5. Additionally, ensure that your application is not running with the experimental.ppr: true or cacheComponents: true configuration along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable enabled, as these conditions are required for the vulnerability to be exploitable.