{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27979", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:24:57.793Z", "datePublished": "2026-03-18T00:13:29.748Z", "dateUpdated": "2026-03-18T19:51:36.190Z"}, "containers": {"cna": {"title": "Next.js: Unbounded postponed resume buffering can lead to DoS", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq"}, {"name": "https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1", "tags": ["x_refsource_MISC"], "url": "https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1"}, {"name": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/vercel/next.js/releases/tag/v16.1.7"}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"version": ">= 16.0.1, < 16.1.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T00:13:29.748Z"}, "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client."}], "source": {"advisory": "GHSA-h27x-g6w4-24gq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T19:51:23.444351Z", "id": "CVE-2026-27979", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T19:51:36.190Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27979", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T19:51:23.444351Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T19:51:28.994Z"}}], "cna": {"title": "Next.js: Unbounded postponed resume buffering can lead to DoS", "source": {"advisory": "GHSA-h27x-g6w4-24gq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"status": "affected", "version": ">= 16.0.1, < 16.1.7"}]}], "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq", "name": "https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1", "name": "https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "name": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T00:13:29.748Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27979", "state": "PUBLISHED", "dateUpdated": "2026-03-18T19:51:36.190Z", "dateReserved": "2026-02-25T03:24:57.793Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T00:13:29.748Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B6AA61BB-C5CD-4725-9A02-BEFA55D52351", "versionEndExcluding": "16.1.7", "versionStartIncluding": "16.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client."}, {"lang": "es", "value": "Next.js es un React framework para construir aplicaciones web full-stack. A partir de la versi\u00f3n 16.0.1 y antes de la versi\u00f3n 16.1.7, una solicitud que contuviera el encabezado `next-resume: 1` (correspondiente a una solicitud de reanudaci\u00f3n PPR) almacenar\u00eda en b\u00fafer los cuerpos de las solicitudes sin aplicar consistentemente `maxPostponedStateSize` en ciertas configuraciones. La mitigaci\u00f3n anterior proteg\u00eda las implementaciones en modo m\u00ednimo, pero las implementaciones no m\u00ednimas equivalentes segu\u00edan siendo vulnerables al mismo comportamiento de almacenamiento en b\u00fafer ilimitado del cuerpo de reanudaci\u00f3n pospuesto. En aplicaciones que utilizan el App Router con la capacidad de Prerrenderizado Parcial habilitada (a trav\u00e9s de `experimental.ppr` o `cacheComponents`), un atacante podr\u00eda enviar cargas \u00fatiles POST `next-resume` sobredimensionadas que se almacenaban en b\u00fafer sin una aplicaci\u00f3n consistente del tama\u00f1o en implementaciones no m\u00ednimas, causando un uso excesivo de memoria y una potencial denegaci\u00f3n de servicio. Esto se corrige en la versi\u00f3n 16.1.7 al aplicar l\u00edmites de tama\u00f1o en todas las rutas de almacenamiento en b\u00fafer de cuerpos pospuestos y generar un error cuando se exceden los l\u00edmites. Si la actualizaci\u00f3n no es posible de inmediato, bloquee las solicitudes que contengan el encabezado `next-resume`, ya que nunca es v\u00e1lido que esto sea enviado desde un cliente no confiable."}], "id": "CVE-2026-27979", "lastModified": "2026-03-18T20:04:17.953", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T01:16:04.797", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/vercel/next.js/releases/tag/v16.1.7"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "next.js: Next.js: Unbounded postponed resume buffering can lead to DoS", "id": "2448512", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448512"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-770", "details": ["A denial of service flaw has been discovered in Next.js. A request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27979", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "dotnet7.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/rekor-search-ui-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Fix deferred", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Fix deferred", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-03-18T00:13:29Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27979\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27979\nhttps://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1\nhttps://github.com/vercel/next.js/releases/tag/v16.1.7\nhttps://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.1,16.1.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "next.js", "source": "cna", "vendor": "vercel"}, "product": "next.js", "vendor": "vercel"}], "analysis": {"en": {"generated_at": "2026-03-18T21:51:31.118656+00:00", "value": {"mitigation_remediation": ["Upgrade Next.js to version 16.1.7 or later, which enforces buffer size limits on all postponed-body buffering paths.", "If an upgrade cannot be performed immediately, block incoming requests that contain the `next-resume` header, as this header is never legitimately sent by untrusted clients."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is Vercel\u2019s Next.js framework. Versions 16.0.1 up to and including 16.1.6 are vulnerable. Applications using the App Router with Partial Prerendering enabled in non\u2011minimal deployments are impacted, while minimal-mode deployments remain protected by the previous mitigation.", "description_and_impact": "Next.js versions 16.0.1 through 16.1.6 allow an attacker to send an HTTP POST request containing the `next-resume: 1` header, triggering unbounded postponed resume-body buffering. Because memory limits are not consistently enforced in non\u2011minimal deployments with Partial Prerendering enabled, oversized payloads can consume excessive memory, leading to a denial\u2011of\u2011service. This resource exhaustion flaw is categorized as CWE\u2011770, and based on the description it is inferred that no authentication is needed to launch the attack.", "risk_and_exploitability": "The CVSS v3 score is 6.9, indicating moderate risk, and the EPSS score is less than 1\u202f%, implying a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote HTTP POST request to a vulnerable Next.js application with the `next-resume` header; this inference comes from the fact that the description states an attacker can send oversized payloads without mentioning authentication."}}}}, "created": "2026-03-18T10:42:25.480612+00:00", "updated": "2026-03-24T10:53:55.532738+00:00", "vendors": ["vercel", "vercel$PRODUCT$next.js"]}