CVE-2026-44579

Name of the Vulnerable Software and Affected Versions Next.js versions prior to 15.5.16 Next.js versions prior to 16.2.5

Description Applications utilizing Partial Prerendering via the Cache Components feature are susceptible to connection exhaustion. A crafted POST request to a server action can trigger a request-body handling deadlock. This state keeps connections open for an extended period, consuming file descriptors and server capacity, which may result in a denial of service for legitimate users.

Recommendations Update to version 15.5.16. Update to version 16.2.5. As a temporary workaround, block requests at the edge that contain the Next-Resume header.