CVE-2026-27979
Received Received - Intake
Unbounded Memory Buffering in Next.js Partial Prerendering Causes DoS

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27979
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vercel next.js From 16.0.1 (inc) to 16.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27979 is a vulnerability in the Next.js framework affecting versions from 16.0.1 up to but not including 16.1.7. It involves the handling of the `next-resume: 1` HTTP header used for Partial Prerendering (PPR) resume requests. In certain non-minimal deployment setups using the App Router with Partial Prerendering enabled, the system buffers POST request bodies without consistently enforcing a size limit called `maxPostponedStateSize`. This inconsistent enforcement allows an attacker to send oversized POST payloads with the `next-resume` header, causing excessive memory usage due to unbounded buffering.

This vulnerability can lead to denial of service (DoS) by exhausting server resources. The issue was fixed in version 16.1.7 by enforcing size limits uniformly across all postponed-body buffering paths and returning errors when limits are exceeded. Until upgrading, it is recommended to block requests containing the `next-resume` header, as such requests should never come from untrusted clients.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause excessive memory consumption on your server hosting Next.js applications. By sending large POST requests with the `next-resume` header, an attacker can exploit the inconsistent size enforcement in postponed resume buffering, leading to resource exhaustion.

The primary impact is a denial of service (DoS) condition, where the server becomes overwhelmed and unable to process legitimate requests due to excessive memory usage. There is no impact on confidentiality or integrity, but availability is affected.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for HTTP requests containing the `next-resume` header, specifically with the value `1`. Since such requests are never valid from untrusted clients, their presence indicates potential exploitation attempts.'}, {'type': 'paragraph', 'content': 'You can use network inspection tools or command-line utilities to filter and detect these requests.'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP headers containing 'next-resume': tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'next-resume'"}, {'type': 'list_item', 'content': "Using curl or similar tools to test if your server responds to requests with the 'next-resume' header."}, {'type': 'list_item', 'content': "Checking server logs for POST requests that include the 'next-resume' header."}] [1]

Mitigation Strategies

The primary immediate mitigation is to block any incoming requests containing the `next-resume` header, as such requests should never originate from untrusted clients.

Upgrading the Next.js framework to version 16.1.7 or later is the definitive fix, as this version enforces size limits consistently across all postponed-body buffering paths and returns errors when limits are exceeded.

If upgrading is not immediately possible, implement firewall or application-level rules to reject or drop requests with the `next-resume` header to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27979. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart