CVE-2025-59472 is a denial of service (DoS) vulnerability affecting Vercel's Next.js framework, specifically versions from 15.0.0-canary.0 up to 16.1.0, when Partial Prerendering (PPR) is enabled via experimental.ppr or cacheComponents configuration and the environment variable NEXT_PRIVATE_MINIMAL_MODE=1 is set. The vulnerability arises in the PPR resume endpoint, which accepts unauthenticated POST requests containing the 'Next-Resume: 1' header. The server processes postponed state data sent by the client without proper validation or size restrictions. Two related flaws enable memory exhaustion attacks: (1) The server buffers the entire POST request body into memory using Buffer.concat() without imposing size limits, allowing attackers to send arbitrarily large payloads that consume all available memory. (2) The server decompresses cached resume data using inflateSync() without limiting the decompressed output size, enabling zipbomb-style attacks where a small compressed payload expands to hundreds of megabytes or gigabytes, overwhelming memory resources. Both attack vectors cause the Node.js process to crash with a fatal V8 out-of-memory error, resulting in denial of service and application downtime. The zipbomb variant is particularly dangerous because it can bypass reverse proxy request size limits, making traditional network-layer protections ineffective. Exploitation requires no authentication or user interaction, increasing the attack surface. The vulnerability is tracked under CWE-400 (Uncontrolled Resource Consumption). Although no known exploits are currently reported in the wild, the medium CVSS score (5.9) reflects the moderate complexity of exploitation and significant impact on availability. Mitigation involves upgrading to Next.js versions 15.6.0-canary.61 or 16.1.5, which include fixes to enforce request body size limits and decompression output restrictions, preventing memory exhaustion. Organizations should audit their Next.js configurations to identify use of PPR and minimal mode and apply patches promptly to avoid service disruptions.

For European organizations, this vulnerability poses a significant risk to the availability of web applications built on vulnerable Next.js versions with Partial Prerendering enabled in minimal mode. Successful exploitation results in server crashes due to memory exhaustion, causing denial of service and potential downtime of critical web services. This can disrupt business operations, degrade user experience, and potentially lead to financial losses and reputational damage. Since the attack requires no authentication and can bypass reverse proxy request size limits via zipbomb payloads, traditional perimeter defenses may be insufficient. Organizations relying on Next.js for customer-facing websites, e-commerce platforms, or internal portals are particularly vulnerable. The impact is amplified in sectors with high web traffic or stringent uptime requirements, such as finance, healthcare, and government services. Additionally, the vulnerability could be exploited as part of larger distributed denial of service (DDoS) campaigns targeting European digital infrastructure. Although no data confidentiality or integrity is directly affected, the availability impact alone warrants urgent remediation to maintain service continuity and comply with regulatory requirements such as the EU NIS Directive.

1. Upgrade Next.js to version 15.6.0-canary.61 or 16.1.5 or later, which include patches to limit request body buffering and decompression output size. 2. Audit application configurations to identify use of experimental.ppr or cacheComponents features and the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable; disable these features if not strictly necessary. 3. Implement application-layer request size limits and decompression size limits where possible to prevent large payload processing. 4. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block POST requests containing the 'Next-Resume: 1' header or suspiciously large payloads targeting the PPR resume endpoint. 5. Monitor server memory usage and Node.js process health to detect anomalous spikes indicative of exploitation attempts. 6. Use rate limiting on the PPR resume endpoint to reduce the risk of repeated exploitation attempts. 7. Conduct regular security testing and code reviews focusing on resource consumption vulnerabilities in server-side rendering features. 8. Coordinate with hosting providers or cloud platforms to apply network-level protections against zipbomb and large payload attacks. 9. Educate development teams about the risks of enabling experimental features in production environments without thorough security assessments.