CVE-2025-59472 is a denial of service (DoS) vulnerability affecting Vercel's Next.js framework versions with Partial Prerendering (PPR) enabled and running in minimal mode (NEXT_PRIVATE_MINIMAL_MODE=1). The vulnerability stems from the PPR resume endpoint accepting unauthenticated POST requests containing the 'Next-Resume: 1' header and processing attacker-controlled postponed state data without proper input validation or resource constraints. Two closely related issues enable an attacker to exhaust server memory and crash the Node.js process: (1) unbounded request body buffering, where the server concatenates the entire POST request body into memory using Buffer.concat() without enforcing size limits, allowing arbitrarily large payloads to consume all available memory; and (2) unbounded decompression, where the resume data cache is decompressed using inflateSync() without limiting the decompressed output size, enabling a small compressed payload (zipbomb) to expand to hundreds of megabytes or gigabytes, causing memory exhaustion. The resulting fatal V8 out-of-memory error terminates the server process, causing denial of service. The zipbomb attack is particularly dangerous as it can bypass reverse proxy request size limits by sending small compressed payloads that decompress into large memory allocations. To be vulnerable, applications must have experimental.ppr or cacheComponents enabled and run in minimal mode. The affected versions include numerous 15.x canary releases and 16.1.0, with fixes introduced in 15.6.0-canary.61 and 16.1.5. The CVSS 3.1 score is 5.9 (medium), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, and impact limited to availability. No known exploits are currently reported in the wild. This vulnerability primarily threatens availability of Next.js applications configured with these experimental features, potentially causing service outages and impacting user experience.

For European organizations using Next.js with Partial Prerendering enabled and running in minimal mode, this vulnerability poses a significant risk of denial of service through memory exhaustion attacks. Such attacks can cause server crashes and application downtime, disrupting business operations, customer-facing services, and internal tools relying on Next.js. Organizations in sectors with high web service availability requirements—such as e-commerce, finance, healthcare, and public services—may experience reputational damage and financial losses due to outages. The zipbomb attack vector can circumvent typical reverse proxy protections, making mitigation more challenging. Since the vulnerability does not affect confidentiality or integrity, data breaches are unlikely, but availability impacts can be severe, especially for high-traffic applications. The widespread use of Next.js in Europe, particularly in technology hubs and digital service providers, increases the potential attack surface. Additionally, the unauthenticated nature of the attack means any external attacker can attempt exploitation without credentials, increasing risk. The medium CVSS score reflects the moderate ease of exploitation balanced against the limited impact scope, but the potential for large-scale service disruption remains a concern.

1. Upgrade all affected Next.js applications to version 15.6.0-canary.61, 16.1.5, or later where the vulnerability is patched. 2. Disable Partial Prerendering (experimental.ppr) and cacheComponents features if they are not essential, or avoid running in minimal mode (NEXT_PRIVATE_MINIMAL_MODE=1) until patched versions are deployed. 3. Implement strict request size limits at the reverse proxy or load balancer level to restrict maximum POST body sizes, although this alone may not prevent zipbomb attacks. 4. Introduce decompression size limits or timeouts in the application layer to prevent excessive memory allocation during inflateSync() operations. 5. Monitor application logs and server metrics for unusual spikes in memory usage or request patterns targeting the PPR resume endpoint. 6. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious POST requests containing the 'Next-Resume: 1' header or unusually large payloads. 7. Conduct regular security assessments and penetration tests focusing on DoS vectors related to request handling and decompression. 8. Educate development teams about the risks of enabling experimental features in production environments without thorough security evaluation.