Vercel Next.js
cpe:2.3:a:vercel:next.js:*:*:*:*:node.js:*:*
- >= 16.1.0, < 16.1.7
A vulnerability in Next.js versions 16.0.1 prior to 16.1.7 allows for unbounded buffering of request bodies in POST requests that include the 'next-resume: 1' header. This issue arises in non-minimal deployments when the App Router's Partial Prerendering capability is enabled. The vulnerability can lead to excessive memory usage and potential denial-of-service conditions.
Exploitation of this vulnerability can cause excessive memory consumption, leading to potential denial-of-service conditions.
To reproduce this vulnerability, send a POST request to a Next.js application with the 'next-resume: 1' header and an oversized payload. Ensure that the application is using the App Router with Partial Prerendering enabled, and that it is a non-minimal deployment.
Users can upgrade to Next.js version 16.1.7 or later. If an immediate upgrade is not possible, block requests containing the 'next-resume' header.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.