CVE-2025-59472

Name of the Vulnerable Software and Affected Versions Next.js versions with experimental.ppr: true or cacheComponents: true configured along with the NEXT PRIVATE MINIMAL MODE=1 environment variable

Description A denial of service issue exists in Next.js when Partial Prerendering (PPR) is enabled in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. The server buffers the entire POST request body into memory using Buffer.concat() without size limits, potentially exhausting available memory. Additionally, decompression of resume data using inflateSync() lacks output size limitations, allowing a small compressed payload to expand significantly and cause memory exhaustion. Both issues lead to a fatal V8 out-of-memory error, terminating the Node.js process. The zipbomb variant can bypass reverse proxy request size limits. The API endpoint involved is the PPR resume endpoint. The vulnerable data is the attacker-controlled postponed state data.

Recommendations Upgrade to version 15.6.0-canary.61 or 16.1.5.