Next.js CVE-2026-44579
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (https://github.com/vercel/next.js).
CVSS VectorVendor: https://github.com/vercel/next.js
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 15 npm packages depend on next (12 direct, 3 indirect)
Ecosystem-wide dependent count for version 15.0.0.
DescriptionCVE.org
Impact
Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service.
Fix
We now treat the header used for resuming Partial Prerendered requests as an internal-only header and strip it from untrusted incoming requests. This header should never be accepted directly from external clients.
Workarounds
If you cannot upgrade immediately, block requests that would be handled by Next.js if they contain the Next-Resume header at the edge.
AnalysisAI
Connection exhaustion denial of service affects Next.js applications using the Partial Prerendering feature with Cache Components. Remote unauthenticated attackers can send crafted POST requests containing the internal-only 'Next-Resume' header to server actions, triggering a request-body handling deadlock that holds connections open indefinitely, consuming file descriptors and server capacity until legitimate users cannot connect. Vendor-released patches are available in Next.js v15.5.16 and v16.2.5, which strip the internal header from untrusted external requests.
Technical ContextAI
Next.js Partial Prerendering (PPR) is an experimental rendering optimization that allows static shell content to be served immediately while dynamic components stream in later. The Cache Components feature uses an internal 'Next-Resume' header to coordinate resumption of partially prerendered requests between the Next.js framework and its runtime. The vulnerability stems from improper resource management (CWE-770: Allocation of Resources Without Limits or Throttling) when external clients can inject this internal-only header. When a malicious POST request to a server action includes the 'Next-Resume' header, the framework's request-body parsing logic enters a deadlock state, preventing the connection from closing. Each hanging connection consumes a file descriptor and holds server resources (memory, thread/event loop capacity) until system limits are reached, creating a resource exhaustion condition. This is a protocol-level design flaw where internal implementation details were inadvertently exposed to untrusted clients without proper validation.
RemediationAI
Upgrade Next.js to version 15.5.16 (for 15.x branch) or 16.2.5 (for 16.x branch), which implement automatic stripping of the 'Next-Resume' header from untrusted incoming requests, preventing external clients from triggering the deadlock condition. Download releases from https://github.com/vercel/next.js/releases/tag/v15.5.16 or https://github.com/vercel/next.js/releases/tag/v16.2.5. For environments where immediate upgrading is not feasible, implement edge-layer filtering to block any HTTP requests containing the 'Next-Resume' header before they reach the Next.js application - configure reverse proxies (nginx, Apache), CDNs (Cloudflare, Fastly), or API gateways to reject or strip this header from client requests. This workaround trades potential false positives (blocking legitimate internal framework operations if misconfigured) for immediate protection but requires careful testing to ensure the header filtering rule applies only to external traffic, not internal service-to-service communication within trusted network boundaries. Organizations using Partial Prerendering in production should also implement connection limits and timeouts at the load balancer or reverse proxy level to mitigate resource exhaustion attacks more broadly.
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-mg66-mrh9-m8jx