Skip to main content

Next.js CVE-2026-44579

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-11 https://github.com/vercel/next.js GHSA-mg66-mrh9-m8jx
7.5
CVSS 3.1 · Vendor: https://github.com/vercel/next.js
Share

Severity by source

Vendor (https://github.com/vercel/next.js) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/vercel/next.js).

CVSS VectorVendor: https://github.com/vercel/next.js

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 16:16 vuln.today
Analysis Generated
May 11, 2026 - 16:16 vuln.today
CVE Published
May 11, 2026 - 15:56 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 15 npm packages depend on next (12 direct, 3 indirect)

Ecosystem-wide dependent count for version 15.0.0.

DescriptionCVE.org

Impact

Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service.

Fix

We now treat the header used for resuming Partial Prerendered requests as an internal-only header and strip it from untrusted incoming requests. This header should never be accepted directly from external clients.

Workarounds

If you cannot upgrade immediately, block requests that would be handled by Next.js if they contain the Next-Resume header at the edge.

AnalysisAI

Connection exhaustion denial of service affects Next.js applications using the Partial Prerendering feature with Cache Components. Remote unauthenticated attackers can send crafted POST requests containing the internal-only 'Next-Resume' header to server actions, triggering a request-body handling deadlock that holds connections open indefinitely, consuming file descriptors and server capacity until legitimate users cannot connect. Vendor-released patches are available in Next.js v15.5.16 and v16.2.5, which strip the internal header from untrusted external requests.

Technical ContextAI

Next.js Partial Prerendering (PPR) is an experimental rendering optimization that allows static shell content to be served immediately while dynamic components stream in later. The Cache Components feature uses an internal 'Next-Resume' header to coordinate resumption of partially prerendered requests between the Next.js framework and its runtime. The vulnerability stems from improper resource management (CWE-770: Allocation of Resources Without Limits or Throttling) when external clients can inject this internal-only header. When a malicious POST request to a server action includes the 'Next-Resume' header, the framework's request-body parsing logic enters a deadlock state, preventing the connection from closing. Each hanging connection consumes a file descriptor and holds server resources (memory, thread/event loop capacity) until system limits are reached, creating a resource exhaustion condition. This is a protocol-level design flaw where internal implementation details were inadvertently exposed to untrusted clients without proper validation.

RemediationAI

Upgrade Next.js to version 15.5.16 (for 15.x branch) or 16.2.5 (for 16.x branch), which implement automatic stripping of the 'Next-Resume' header from untrusted incoming requests, preventing external clients from triggering the deadlock condition. Download releases from https://github.com/vercel/next.js/releases/tag/v15.5.16 or https://github.com/vercel/next.js/releases/tag/v16.2.5. For environments where immediate upgrading is not feasible, implement edge-layer filtering to block any HTTP requests containing the 'Next-Resume' header before they reach the Next.js application - configure reverse proxies (nginx, Apache), CDNs (Cloudflare, Fastly), or API gateways to reject or strip this header from client requests. This workaround trades potential false positives (blocking legitimate internal framework operations if misconfigured) for immediate protection but requires careful testing to ensure the header filtering rule applies only to external traffic, not internal service-to-service communication within trusted network boundaries. Organizations using Partial Prerendering in production should also implement connection limits and timeouts at the load balancer or reverse proxy level to mitigate resource exhaustion attacks more broadly.

Vendor StatusVendor

Share

CVE-2026-44579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy