CVE-2026-27979

Name of the Vulnerable Software and Affected Versions Next.js versions 16.0.1 through 16.1.6

Description Next.js, a React framework for building full-stack web applications, is affected by an issue where requests containing the next-resume: 1 header can lead to excessive memory usage and potential denial of service. This occurs in applications utilizing the App Router with Partial Prerendering enabled (via experimental.ppr or cacheComponents). Specifically, the framework would buffer request bodies without consistently enforcing the maxPostponedStateSize limit in certain configurations. Previous mitigations only addressed minimal-mode deployments, leaving non-minimal deployments vulnerable to unbounded postponed resume-body buffering. The issue arises when an attacker sends oversized next-resume POST payloads, which are then buffered without proper size enforcement, potentially exhausting server memory. The API endpoint receiving these requests is not explicitly specified, but the vulnerability is triggered by the presence of the next-resume header in a POST request. The vulnerable parameter is the request body associated with the next-resume: 1 header.

Recommendations Next.js versions 16.0.1 through 16.1.6 are vulnerable. Upgrade to version 16.1.7 or later to enforce size limits across all postponed-body buffering paths and prevent the issue. If upgrading is not immediately possible, block requests containing the next-resume header, as it should not be sent from untrusted clients.