Vercel · Next.Js · CVE-2026-27979
**Name of the Vulnerable Software and Affected Versions**
Next.js versions 16.0.1 through 16.1.6
**Description**
Next.js, a React framework for building full-stack web applications, is affected by an issue where requests containing the `next-resume: 1` header can lead to excessive memory usage and potential denial of service. This occurs in applications utilizing the App Router with Partial Prerendering enabled (via `experimental.ppr` or `cacheComponents`). Specifically, the framework would buffer request bodies without consistently enforcing the `maxPostponedStateSize` limit in certain configurations. Previous mitigations only addressed minimal-mode deployments, leaving non-minimal deployments vulnerable to unbounded postponed resume-body buffering. The issue arises when an attacker sends oversized `next-resume` POST payloads, which are then buffered without proper size enforcement, potentially exhausting server memory. The **API endpoint** receiving these requests is not explicitly specified, but the vulnerability is triggered by the presence of the `next-resume` header in a POST request. The vulnerable parameter is the request body associated with the `next-resume: 1` header.
**Recommendations**
Next.js versions 16.0.1 through 16.1.6 are vulnerable. Upgrade to version 16.1.7 or later to enforce size limits across all postponed-body buffering paths and prevent the issue. If upgrading is not immediately possible, block requests containing the `next-resume` header, as it should not be sent from untrusted clients.