CVE-2025-59472: Next.js Memory Exhaustion DoS Vulnerability

CVE-2025-59472 Overview

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion.

The first vulnerability involves unbounded request body buffering where the server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory. The second vulnerability involves unbounded decompression (zipbomb) where resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

Critical Impact

Unauthenticated attackers can crash Next.js servers running with PPR enabled through memory exhaustion attacks, causing complete service unavailability.

Affected Products

• Next.js versions with experimental.ppr: true configured
• Next.js versions with cacheComponents: true configured
• Applications running with NEXT_PRIVATE_MINIMAL_MODE=1 environment variable

Discovery Timeline

• 2026-01-26 - CVE CVE-2025-59472 published to NVD
• 2026-01-27 - Last updated in NVD database

Technical Details for CVE-2025-59472

Vulnerability Analysis

This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), which accurately describes the core issue. The PPR resume endpoint in Next.js was designed to handle serialized state data for partial prerendering functionality but lacks proper input validation and resource limits.

When a Next.js application has Partial Prerendering enabled and runs in minimal mode, the server exposes an endpoint that processes POST requests containing postponed state data. This endpoint is unauthenticated and accessible to any network client that can reach the application.

The vulnerability stems from two resource consumption flaws in the request processing logic. First, the Buffer.concat() operation accumulates incoming request data without any upper bound, meaning an attacker can send multi-gigabyte payloads that will be fully buffered into server memory. Second, the decompression routine using inflateSync() expands compressed data without checking the resulting size, enabling classic zipbomb attacks where a small compressed payload decompresses into massive amounts of data.

Root Cause

The root cause is the absence of input validation and resource limits on the PPR resume endpoint. Specifically, the server lacks request body size limits before buffering and decompressed data size limits before processing. This allows an attacker to exploit either or both vectors to exhaust server memory and trigger Node.js process termination.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker sends a crafted POST request to the vulnerable endpoint with the Next-Resume: 1 header. For the unbounded buffering attack, the payload is simply a large request body. For the zipbomb attack, the payload is a small compressed file that expands to an enormous size when decompressed. Both attacks result in the Node.js process hitting its heap memory limit and terminating with a fatal error, taking down the entire application.

The vulnerability mechanism works as follows: An attacker identifies a Next.js application running with PPR enabled in minimal mode. They craft a malicious POST request targeting the resume endpoint with either a large uncompressed payload or a small zipbomb payload. The server processes the request, exhausting available memory, and the Node.js process terminates with FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory. For detailed technical information, refer to the GitHub Security Advisory.

Detection Methods for CVE-2025-59472

Indicators of Compromise

• Unusual number of POST requests containing the Next-Resume: 1 header from external sources
• Node.js process crashes with heap memory allocation failures in application logs
• Sudden spikes in memory usage on Next.js application servers
• Repeated server restarts or container crashes without corresponding application errors

Detection Strategies

• Monitor for POST requests with Next-Resume: 1 headers, particularly from untrusted sources or with unusually large payloads
• Implement alerting on Node.js process crashes that include "heap limit" or "out of memory" in the error message
• Configure infrastructure monitoring to detect rapid memory consumption patterns on Next.js servers
• Enable request logging at the reverse proxy level to capture requests that precede server crashes

Monitoring Recommendations

• Set up memory usage thresholds and alerts for Next.js application processes
• Monitor container or process restart frequency as an indicator of potential exploitation attempts
• Review web server access logs for patterns of large POST requests or requests with Next-Resume headers
• Implement real-time log analysis to correlate memory spikes with incoming HTTP requests

How to Mitigate CVE-2025-59472

Immediate Actions Required

• Upgrade Next.js to version 15.6.0-canary.61 or 16.1.5 or later immediately
• If immediate upgrade is not possible, disable Partial Prerendering by removing experimental.ppr: true from configuration
• Implement request body size limits at the reverse proxy or load balancer level
• Consider disabling minimal mode if it is not required for your deployment

Patch Information

The vulnerability has been addressed in Next.js versions 15.6.0-canary.61 and 16.1.5. Organizations running affected versions should upgrade to these patched releases as soon as possible. Detailed patch information is available in the GitHub Security Advisory.

Workarounds

• Configure reverse proxy or load balancer to enforce strict request body size limits (e.g., 10MB maximum)
• Disable PPR by setting experimental.ppr: false in your Next.js configuration
• Remove the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable if minimal mode is not essential
• Implement rate limiting on the PPR resume endpoint to slow down potential exploitation attempts

To implement request size limits at the NGINX level, you can configure the client_max_body_size directive. To disable PPR in your Next.js configuration, ensure that experimental.ppr is set to false or removed entirely from your next.config.js file. See the GitHub Security Advisory for additional mitigation guidance.