Next.js Denial-of-Service Vulnerability in Partial Prerendering

A denial-of-service vulnerability has been identified in Next.js versions 15.0.0-canary.0 through 15.5.9-canary.0 and in version 16.1.0, when Partial Prerendering (PPR) is enabled and the application is running in minimal mode. The vulnerability arises because the PPR resume endpoint processes unauthenticated POST requests with the 'Next-Resume: 1' header, allowing attackers to send large payloads that exhaust server memory. This is facilitated by unbounded request body buffering, where the server buffers the entire POST request body into memory without size limits, and unbounded decompression of 'zipbomb' payloads, which can expand dramatically and cause memory exhaustion. Both attack vectors lead to a fatal out-of-memory error, causing the Node.js process to crash. The zipbomb variant is particularly concerning as it can bypass reverse proxy request size limits while still causing significant memory allocation on the server.

Impact

Exploitation of this vulnerability leads to memory exhaustion, causing the Node.js process to terminate. This denial-of-service condition can disrupt application availability, with the zipbomb variant posing an added risk by bypassing reverse proxy request size limits.

Remediation

Users are advised to upgrade to Next.js versions 15.6.0-canary.61 or 16.1.5 to mitigate this vulnerability.