CVE-2026-27979 in next.js
Summary
by MITRE • 03/18/2026
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability described in CVE-2026-27979 affects Next.js framework versions 16.0.1 through 16.1.6, specifically targeting applications utilizing the App Router with Partial Prerendering capability. This issue stems from an inconsistent implementation of size limits during request body buffering for postponed resume requests. The vulnerability manifests when a request contains the `next-resume: 1` header, which indicates a PPR resume request within Next.js's rendering pipeline. The flaw creates a path where request bodies are buffered without consistent enforcement of the `maxPostponedStateSize` parameter, particularly impacting non-minimal deployments that were previously protected by mitigations for minimal-mode scenarios.
The technical implementation of this vulnerability involves the framework's handling of postponed rendering states during partial prerendering operations. When the `next-resume` header is present, Next.js processes the request body as part of resuming a previously postponed rendering operation. The buffering mechanism for these resume payloads lacks consistent enforcement of size limitations across all deployment configurations, creating a memory exhaustion vector. This behavior specifically affects applications configured with `experimental.ppr` or `cacheComponents` flags, where the framework's rendering pipeline maintains state that can be resumed later. The vulnerability represents a classic denial of service scenario where an attacker can consume excessive system resources through crafted POST requests containing oversized resume payloads.
The operational impact of this vulnerability extends beyond simple resource exhaustion to potentially compromise application availability and stability. Attackers can exploit this weakness to cause memory allocation exhaustion, leading to application crashes or service unavailability for legitimate users. The vulnerability affects both the application server's memory consumption and potentially the underlying infrastructure resources, as excessive buffering can cause memory pressure across the entire system. This issue is particularly concerning in production environments where resource constraints are already tight, as the attack surface expands to include any endpoint that accepts POST requests with the `next-resume` header, regardless of the deployment mode.
The mitigation strategy for this vulnerability involves upgrading to Next.js version 16.1.7 or later, where the framework consistently enforces size limits across all postponed-body buffering paths and properly errors when these limits are exceeded. This fix addresses the root cause by implementing comprehensive size validation regardless of deployment configuration, ensuring that both minimal and non-minimal deployments behave consistently. Organizations unable to upgrade immediately should implement a defensive measure of blocking requests containing the `next-resume` header entirely, as this header should never be present in requests originating from untrusted clients. The vulnerability aligns with CWE-400, which covers unspecified denial of service conditions, and relates to ATT&CK technique T1499.004 for resource exhaustion attacks. The security implications emphasize the importance of proper input validation and resource management in web frameworks, particularly those implementing sophisticated rendering pipelines with stateful operations.