CVE-2026-44579 Overview
CVE-2026-44579 is a denial-of-service vulnerability in Next.js, the React framework for building full-stack web applications. The flaw affects applications using Partial Prerendering through the Cache Components feature. Attackers can send crafted POST requests to a server action and trigger a request-body handling deadlock. The deadlock keeps connections open for an extended period, consuming file descriptors and server capacity. Legitimate users are eventually denied service when resources are exhausted. The issue is tracked under [CWE-770] (Allocation of Resources Without Limits or Throttling) and is fixed in Next.js 15.5.16 and 16.2.5.
Critical Impact
Unauthenticated remote attackers can exhaust server connections and file descriptors, causing denial of service against Next.js applications using Cache Components.
Affected Products
- Next.js versions prior to 15.5.16
- Next.js 16.x versions prior to 16.2.5
- Applications using Partial Prerendering with the Cache Components feature
Discovery Timeline
- 2026-05-13 - CVE-2026-44579 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44579
Vulnerability Analysis
The vulnerability stems from improper handling of POST request bodies inside the Cache Components implementation. When Partial Prerendering routes a server action invocation through this code path, a crafted POST request can place the request-body handler into a deadlocked state. The connection remains open while the server waits for activity that never completes. Each held connection consumes a file descriptor and a slice of the server's connection pool. Repeated requests rapidly drain available resources until the application cannot accept new connections from legitimate users. Confidentiality and integrity are unaffected, but availability is fully compromised.
Root Cause
The root cause is missing resource limits and timeout enforcement on request-body processing within the Cache Components feature ([CWE-770]). The handler does not bound how long a request can hold a connection or cap the number of concurrent server-action requests that may stall.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends crafted POST requests to a server action endpoint exposed by an affected Next.js application. Each malicious request keeps a connection alive in the deadlocked state. A small number of concurrent attackers can saturate available file descriptors on the host. See the GitHub Security Advisory GHSA-mg66-mrh9-m8jx for technical details.
Detection Methods for CVE-2026-44579
Indicators of Compromise
- Sustained high counts of open TCP connections to Next.js application ports without corresponding response activity.
- Rising file descriptor usage on Node.js processes hosting Next.js without proportional throughput.
- Anomalous volume of POST requests targeting server action endpoints from a narrow set of source addresses.
Detection Strategies
- Monitor application logs for POST requests to server action routes that never complete within expected response time windows.
- Track the ratio of open connections to completed responses on Next.js workers and alert on sustained divergence.
- Inspect reverse proxy or load balancer telemetry for clients holding long-lived POST connections to dynamic routes.
Monitoring Recommendations
- Instrument Node.js processes with file descriptor and event loop metrics and alert when descriptor counts approach ulimit thresholds.
- Forward web server access logs to a centralized analytics platform and baseline POST request duration per route.
- Configure availability monitors against critical user-facing routes to detect early service degradation.
How to Mitigate CVE-2026-44579
Immediate Actions Required
- Upgrade Next.js to version 15.5.16 or 16.2.5, depending on the major release line in use.
- Inventory deployments to identify applications that enable Partial Prerendering and the Cache Components feature.
- Place rate limiting in front of server action endpoints at the reverse proxy or CDN layer until patching completes.
Patch Information
Vercel released fixes in Next.js 15.5.16 and 16.2.5. The patches address the request-body deadlock in the Cache Components code path. Review the GitHub Security Advisory GHSA-mg66-mrh9-m8jx for upgrade guidance and release notes.
Workarounds
- Disable the Cache Components feature on affected applications until upgrades are deployed.
- Enforce strict request body size limits and idle connection timeouts at the load balancer or reverse proxy.
- Apply per-IP connection caps and POST request rate limits on routes that expose server actions.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
