Description
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client.
Published: 2026-03-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Next.js versions 16.0.1 through 16.1.6 allow an attacker to send an HTTP POST request containing the `next-resume: 1` header, triggering unbounded postponed resume-body buffering. Because memory limits are not consistently enforced in non‑minimal deployments with Partial Prerendering enabled, oversized payloads can consume excessive memory, leading to a denial‑of‑service. This resource exhaustion flaw is categorized as CWE‑770, and based on the description it is inferred that no authentication is needed to launch the attack.

Affected Systems

The affected product is Vercel’s Next.js framework. Versions 16.0.1 up to and including 16.1.6 are vulnerable. Applications using the App Router with Partial Prerendering enabled in non‑minimal deployments are impacted, while minimal-mode deployments remain protected by the previous mitigation.

Risk and Exploitability

The CVSS v3 score is 6.9, indicating moderate risk, and the EPSS score is less than 1 %, implying a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote HTTP POST request to a vulnerable Next.js application with the `next-resume` header; this inference comes from the fact that the description states an attacker can send oversized payloads without mentioning authentication.

Generated by OpenCVE AI on March 18, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next.js to version 16.1.7 or later, which enforces buffer size limits on all postponed-body buffering paths.
  • If an upgrade cannot be performed immediately, block incoming requests that contain the `next-resume` header, as this header is never legitimately sent by untrusted clients.

Generated by OpenCVE AI on March 18, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h27x-g6w4-24gq Next.js: Unbounded postponed resume buffering can lead to DoS
History

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 18 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client.
Title Next.js: Unbounded postponed resume buffering can lead to DoS
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T19:51:36.190Z

Reserved: 2026-02-25T03:24:57.793Z

Link: CVE-2026-27979

cve-icon Vulnrichment

Updated: 2026-03-18T19:51:28.994Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T01:16:04.797

Modified: 2026-03-18T20:04:17.953

Link: CVE-2026-27979

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:13:29Z

Links: CVE-2026-27979 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:53:55Z

Weaknesses