Next.js, a popular React framework for building full-stack web applications, introduced a vulnerability identified as CVE-2026-27979 affecting versions from 16.0.1 up to 16.1.7. The vulnerability stems from improper resource allocation controls in the handling of POST requests containing the 'next-resume: 1' header, which corresponds to a Partial Prerendering (PPR) resume request. Specifically, in applications using the App Router with Partial Prerendering enabled (via experimental flags such as 'experimental.ppr' or 'cacheComponents'), the framework buffers request bodies without consistently enforcing the configured 'maxPostponedStateSize' limit in certain deployment setups. While minimal-mode deployments had mitigations, non-minimal deployments remained vulnerable to unbounded buffering. An attacker can exploit this by sending oversized POST payloads with the 'next-resume' header, causing the server to allocate excessive memory resources. This can lead to denial of service conditions due to resource exhaustion. The vulnerability does not require authentication or user interaction and can be triggered remotely. The fix, implemented in Next.js version 16.1.7, enforces size limits across all postponed-body buffering paths and returns errors when these limits are exceeded. As an interim mitigation, blocking requests containing the 'next-resume' header from untrusted clients is advised since legitimate clients should not send this header. The CVSS v4.0 base score is 6.9, reflecting a medium severity with network attack vector, low complexity, no privileges or user interaction required, and limited impact on availability. No known exploits have been reported in the wild as of the publication date.

This vulnerability primarily impacts the availability of Next.js applications configured with the App Router and Partial Prerendering features enabled. An attacker can cause excessive memory consumption by sending large POST requests with the 'next-resume' header, potentially leading to denial of service through resource exhaustion. This can disrupt web services, degrade performance, or cause application crashes, impacting user experience and business continuity. Organizations relying on Next.js for critical web applications, especially those using the affected versions and experimental features, are at risk of service outages. Since exploitation requires no authentication or user interaction, the attack surface is broad and can be targeted by remote attackers. While confidentiality and integrity are not directly impacted, the availability disruption can have cascading effects on dependent services and user trust. The medium severity rating reflects the moderate but significant risk to service stability. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks, especially as awareness of the vulnerability spreads.

1. Upgrade all Next.js applications to version 16.1.7 or later, where the vulnerability is fully patched with enforced size limits on postponed-body buffering. 2. If immediate upgrade is not feasible, implement network-level filtering to block all incoming HTTP requests containing the 'next-resume' header, as this header should not be sent by untrusted clients. 3. Review application configurations to identify deployments using the App Router with Partial Prerendering enabled (flags 'experimental.ppr' or 'cacheComponents') and prioritize patching these environments. 4. Monitor application memory usage and logs for abnormal spikes or errors related to request buffering to detect potential exploitation attempts. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block oversized POST requests or suspicious 'next-resume' header usage. 6. Conduct regular security assessments and update dependency management processes to ensure timely application of patches for Next.js and related frameworks. 7. Educate development and operations teams about the risks associated with experimental features and the importance of applying vendor security updates promptly.