Skip to main content

Red Hat CVE-2026-27979

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-17 https://github.com/vercel/next.js GHSA-h27x-g6w4-24gq
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
Patch released
Mar 17, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 17, 2026 - 16:16 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 47 npm packages depend on next (45 direct, 2 indirect)

Ecosystem-wide dependent count for version 16.0.1.

DescriptionGitHub Advisory

Summary

A request containing the next-resume: 1 header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing maxPostponedStateSize in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior.

Impact

In applications using the App Router with Partial Prerendering capability enabled (via experimental.ppr or cacheComponents), an attacker could send oversized next-resume POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service.

Patches

Fixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded.

Workarounds

If upgrade is not immediately possible:

  • Block requests containing the next-resume header, as this is never valid to be sent from an untrusted client.

AnalysisAI

Unbounded request body buffering in Next.js App Router with Partial Prerendering enabled allows remote attackers to trigger denial of service through oversized next-resume POST requests that bypass size enforcement in non-minimal deployments. An attacker can exhaust server memory by sending specially crafted resume payloads without authentication or user interaction. The vulnerability affects applications with experimental PPR features enabled and has been patched with consistent size limit enforcement.

Technical ContextAI

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Allocation of Resources Without Limits or Throttling (CWE-770).

RemediationAI

A vendor patch is available — apply it immediately. Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

Vendor StatusVendor

Share

CVE-2026-27979 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy