Description
Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.
Published: 2026-05-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to craft POST requests to a Next.js server action that triggers a request‑body handling deadlock. The deadlock keeps file descriptors open, exhausting connection resources and eventually denying legitimate users access to the application. The weakness is an instance of resource exhaustion (CWE‑770).

Affected Systems

Affected products are Vercel's Next.js framework, specifically all releases before version 15.5.16 and 16.2.5. Deployments that enable Partial Prerendering with Cache Components are vulnerable, while configurations that disable this feature or use newer releases are safe.

Risk and Exploitability

The CVSS score of 7.5 reflects a high severity risk. An EPSS score of 0.00019 (<1%) indicates a very low but nonzero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be direct network access via crafted POST requests to the server, which can be exploited by attackers who can send requests to the application. No authentication requirement is specified, implying that any external user could trigger the DOS.

Generated by OpenCVE AI on June 3, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next.js to version 15.5.16 or 16.2.5, whichever applies to your environment, to eliminate the deadlock flaw.
  • If an upgrade is not possible, disable Partial Prerendering or Cache Components in your application configuration to block the vulnerable path.
  • Implement request throttling or rate limiting on POST endpoints that invoke server actions to reduce the ability of an attacker to exhaust connections.

Generated by OpenCVE AI on June 3, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mg66-mrh9-m8jx Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
History

Wed, 03 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-833
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 14 May 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 13 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.
Title Next.js: Denial of Service via connection exhaustion in applications using Cache Components
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:33:59.145Z

Reserved: 2026-05-06T21:49:12.424Z

Link: CVE-2026-44579

cve-icon Vulnrichment

Updated: 2026-05-14T15:33:55.462Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T18:16:18.123

Modified: 2026-05-14T18:34:04.757

Link: CVE-2026-44579

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-13T17:04:28Z

Links: CVE-2026-44579 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T14:30:35Z

Weaknesses