CVE-2026-27979
Unbounded Memory Buffering in Next.js Partial Prerendering Causes DoS
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vercel | next.js | From 16.0.1 (inc) to 16.1.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27979 is a vulnerability in the Next.js framework affecting versions from 16.0.1 up to but not including 16.1.7. It involves the handling of the `next-resume: 1` HTTP header used for Partial Prerendering (PPR) resume requests. In certain non-minimal deployment setups using the App Router with Partial Prerendering enabled, the system buffers POST request bodies without consistently enforcing a size limit called `maxPostponedStateSize`. This inconsistent enforcement allows an attacker to send oversized POST payloads with the `next-resume` header, causing excessive memory usage due to unbounded buffering.
This vulnerability can lead to denial of service (DoS) by exhausting server resources. The issue was fixed in version 16.1.7 by enforcing size limits uniformly across all postponed-body buffering paths and returning errors when limits are exceeded. Until upgrading, it is recommended to block requests containing the `next-resume` header, as such requests should never come from untrusted clients.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause excessive memory consumption on your server hosting Next.js applications. By sending large POST requests with the `next-resume` header, an attacker can exploit the inconsistent size enforcement in postponed resume buffering, leading to resource exhaustion.
The primary impact is a denial of service (DoS) condition, where the server becomes overwhelmed and unable to process legitimate requests due to excessive memory usage. There is no impact on confidentiality or integrity, but availability is affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for HTTP requests containing the `next-resume` header, specifically with the value `1`. Since such requests are never valid from untrusted clients, their presence indicates potential exploitation attempts.'}, {'type': 'paragraph', 'content': 'You can use network inspection tools or command-line utilities to filter and detect these requests.'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP headers containing 'next-resume': tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'next-resume'"}, {'type': 'list_item', 'content': "Using curl or similar tools to test if your server responds to requests with the 'next-resume' header."}, {'type': 'list_item', 'content': "Checking server logs for POST requests that include the 'next-resume' header."}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation is to block any incoming requests containing the `next-resume` header, as such requests should never originate from untrusted clients.
Upgrading the Next.js framework to version 16.1.7 or later is the definitive fix, as this version enforces size limits consistently across all postponed-body buffering paths and returns errors when limits are exceeded.
If upgrading is not immediately possible, implement firewall or application-level rules to reject or drop requests with the `next-resume` header to prevent exploitation.