Next.js Connection Exhaustion Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Next.js versions 15.0.0 prior to 15.5.16 and 16.0.0 prior to 16.2.5. This issue affects applications using Partial Prerendering with the Cache Components feature, where crafted POST requests to a server action can cause connection exhaustion. The malicious requests trigger a deadlock in handling the request body, leaving connections open for a prolonged period. This behavior consumes file descriptors and server resources, ultimately denying service to legitimate users.

Impact

Exploitation of this vulnerability leads to connection exhaustion, causing a request-body handling deadlock that keeps connections open for an extended time. This consumption of file descriptors and server capacity can result in denial-of-service for legitimate users.

Remediation

Users can upgrade to Next.js versions 15.5.16 or 16.2.5 to address this vulnerability. If an immediate upgrade is not possible, requests containing the 'Next-Resume' header can be blocked at the edge, as these requests would be handled by Next.js.