CVE-2026-27979 Overview
CVE-2026-27979 is a Denial of Service vulnerability affecting Next.js, the popular React framework for building full-stack web applications. The vulnerability exists in the Partial Prerendering (PPR) feature, where requests containing the next-resume: 1 header can cause unbounded memory consumption in non-minimal deployment configurations.
Critical Impact
Applications using the App Router with Partial Prerendering enabled are vulnerable to memory exhaustion attacks via oversized next-resume POST payloads, potentially causing service disruption and denial of service.
Affected Products
- Vercel Next.js versions 16.0.1 through 16.1.6
- Applications using App Router with experimental.ppr enabled
- Applications using App Router with cacheComponents enabled
Discovery Timeline
- 2026-03-18 - CVE-2026-27979 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-27979
Vulnerability Analysis
This vulnerability (CWE-770: Allocation of Resources Without Limits or Throttling) stems from inconsistent enforcement of the maxPostponedStateSize limit in Next.js's Partial Prerendering feature. When a request contains the next-resume: 1 header, the server buffers the request body to process the PPR resume operation. While a previous mitigation addressed minimal-mode deployments, non-minimal deployment configurations remained vulnerable because the size enforcement was not applied consistently across all code paths handling postponed body buffering.
The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability remotely by sending specially crafted POST requests with oversized payloads and the next-resume header to applications with PPR enabled.
Root Cause
The root cause is the inconsistent application of size limits when buffering postponed resume request bodies. The maxPostponedStateSize configuration was not uniformly enforced across all buffering paths in non-minimal deployments. This allowed attackers to bypass the intended resource constraints by targeting deployment configurations where the size validation was missing.
Attack Vector
An attacker targets Next.js applications running with Partial Prerendering enabled in non-minimal deployment mode. By sending HTTP POST requests with the next-resume: 1 header and oversized body content, the server attempts to buffer the entire payload without enforcing size limits. Repeated requests with large payloads can exhaust server memory, leading to degraded performance or complete denial of service.
// Security patch in packages/next/src/build/templates/app-page.ts - ensure maxPostponedStateSize is always respected (#90060)
import { ENCODED_TAGS } from '../../server/stream-utils/encoded-tags'
import { sendRenderResult } from '../../server/send-payload'
import { NoFallbackError } from '../../shared/lib/no-fallback-error.external'
+import { parseMaxPostponedStateSize } from '../../shared/lib/size-limit'
import {
- DEFAULT_MAX_POSTPONED_STATE_SIZE,
- parseMaxPostponedStateSize,
-} from '../../shared/lib/size-limit'
+ getMaxPostponedStateSize,
+ getPostponedStateExceededErrorMessage,
+ readBodyWithSizeLimit,
+} from '../../server/lib/postponed-request-body'
// These are injected by the loader afterwards.
Source: GitHub Next.js Commit
Detection Methods for CVE-2026-27979
Indicators of Compromise
- Unusual volume of POST requests containing the next-resume: 1 header
- Rapid memory consumption or memory exhaustion on Next.js application servers
- Large request body sizes in access logs for requests with next-resume headers
- Application crashes or restarts due to out-of-memory conditions
Detection Strategies
- Configure web application firewalls (WAF) to monitor and alert on requests containing the next-resume header from untrusted sources
- Implement logging rules to track request sizes for PPR-related endpoints
- Set up memory usage monitoring and alerting thresholds for Next.js application processes
- Review access logs for patterns of repeated large POST requests targeting application routes
Monitoring Recommendations
- Monitor server memory utilization with alerting for sudden increases or sustained high consumption
- Implement rate limiting on endpoints that accept next-resume headers
- Set up log aggregation to identify coordinated attack patterns across multiple requests
- Configure application performance monitoring (APM) to track resource consumption per request type
How to Mitigate CVE-2026-27979
Immediate Actions Required
- Upgrade Next.js to version 16.1.7 or later immediately
- If upgrading is not immediately possible, block all requests containing the next-resume header at the WAF or reverse proxy level
- Review application configurations to identify if experimental.ppr or cacheComponents are enabled
- Monitor application memory usage for signs of active exploitation
Patch Information
Vercel has released version 16.1.7 which enforces size limits across all postponed-body buffering paths and returns an error when limits are exceeded. The fix is available in the GitHub Next.js Release v16.1.7. The specific commit addressing this vulnerability is documented in the GitHub Security Advisory GHSA-h27x-g6w4-24gq.
Workarounds
- Block requests containing the next-resume header at the reverse proxy or load balancer level, as this header should never be sent from untrusted clients
- Temporarily disable Partial Prerendering by removing experimental.ppr or cacheComponents from your Next.js configuration
- Implement request size limits at the infrastructure level to prevent oversized payloads from reaching the application
# Nginx configuration to block next-resume header
location / {
if ($http_next_resume) {
return 403;
}
proxy_pass http://nextjs_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
