Next.js Unbounded Buffering Vulnerability in POST Requests with Partial Prerendering

Vulnerability

A vulnerability in Next.js versions 16.0.1 prior to 16.1.7 allows for unbounded buffering of request bodies in POST requests that include the 'next-resume: 1' header. This issue arises in non-minimal deployments when the App Router's Partial Prerendering capability is enabled. The vulnerability can lead to excessive memory usage and potential denial-of-service conditions.

Impact

Exploitation of this vulnerability can cause excessive memory consumption, leading to potential denial-of-service conditions.

Reproduction

To reproduce this vulnerability, send a POST request to a Next.js application with the 'next-resume: 1' header and an oversized payload. Ensure that the application is using the App Router with Partial Prerendering enabled, and that it is a non-minimal deployment.

Remediation

Users can upgrade to Next.js version 16.1.7 or later. If an immediate upgrade is not possible, block requests containing the 'next-resume' header.

Added: Mar 18, 2026, 1:21 AM
Updated: Mar 18, 2026, 1:21 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
2.5
exploitability
8.9
remediation
7.9
relevance
2.7
threat
4.8
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.