Next.js Vulnerability Generating Unbounded Traffic Processing Flows

Threat: Vulnerability

Targeted Region: Global

Targeted Sector: Technology & IT

Criticality: Medium

EXECUTIVE SUMMARY:

A denial-of-service vulnerability CVE-2025-59472 affects Next.js where the Partial Prerendering (PPR) resume endpoint, when running in minimal mode with certain configurations enabled, does not enforce limits on internal resource consumption, allowing unauthenticated attackers to trigger unbounded memory allocation via specially crafted HTTP POST requests; such unbounded request body buffering and decompression can exhaust available memory, crash the server process, and render affected applications unavailable if they are using vulnerable Next.js versions. The vulnerability has a CVSS score of 5.9.

RECOMMENDATION:

We strongly recommend you update Next.js to below version:

Next.js to version 15.6.0-canary.61 or later.
Next.js to version 16.1.5 or later.

REFERENCES:

The following reports contain further technical details:

https://github.com/advisories/GHSA-5f7q-jpqc-wp7h

Recent Advisories

Terminal Controller MCP Vulnerability Run Commands without Login

January 29, 2026

Ghost CMS Portal XSS Vulnerability Leads to Remote Script Injection

January 29, 2026

vltpkg tar Vulnerability Exploits Remote Path Traversal and Directory Corruption

January 29, 2026

Multiple Vulnerabilities Discovered in NocoDB Application Putting Systems at Risk

January 29, 2026

Next.js Vulnerability Generating Unbounded Traffic Processing Flows

Recent Advisories

Report an Incident