Cyber Resilience

CVE-2025-59472

MediumDDoS

Published: 26 January 2026

Published
26 January 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0015 35.3th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59472 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Vercel Next.Js. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-59472 is a denial-of-service vulnerability in Next.js versions configured with Partial Prerendering (PPR) enabled via `experimental.ppr: true` or `cacheComponents: true`, and running in minimal mode with the `NEXT_PRIVATE_MINIMAL_MODE=1` environment variable. The issue stems from the PPR resume endpoint, which accepts unauthenticated POST requests bearing the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two related flaws enable server crashes through memory exhaustion: unbounded buffering of the entire POST request body using `Buffer.concat()` without size limits, and unbounded decompression of the resume data cache via `inflateSync()`, which permits zipbomb payloads that expand small inputs into hundreds of megabytes or gigabytes.

An unauthenticated network attacker can exploit this by sending crafted POST requests to the resume endpoint. Large payloads directly exhaust memory during buffering, while compressed zipbombs evade reverse proxy size limits yet trigger massive decompression on the server. In both cases, the result is a fatal V8 out-of-memory error ("FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory"), terminating the Node.js process and disrupting service availability. The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-400 (Uncontrolled Resource Consumption).

The Next.js security advisory at https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h recommends upgrading to version 15.6.0-canary.61 or 16.1.5 to mitigate the risks and prevent availability issues in affected applications.

EU & UK References

Vulnerability details

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely…

more

related vulnerabilities allow an attacker to crash the server process through memory exhaustion: 1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory. 2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion. Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server. To be affected you must have an application running with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable. Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct unauthenticated exploitation of public-facing Next.js PPR endpoint enabling application-layer DoS via resource exhaustion.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-59471Same product: Vercel Next.Js
CVE-2026-27980Same product: Vercel Next.Js
CVE-2026-44575Same product: Vercel Next.Js
CVE-2026-45109Same product: Vercel Next.Js
CVE-2026-27979Same product: Vercel Next.Js
CVE-2026-44573Same product: Vercel Next.Js
CVE-2026-44574Same product: Vercel Next.Js
CVE-2025-29927Same product: Vercel Next.Js
CVE-2026-44578Same product: Vercel Next.Js
CVE-2026-44579Same product: Vercel Next.Js

Affected Assets

vercel
next.js
15.6.0 · 15.0.0 — 15.6.0 · 16.0.0 — 16.1.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authentication/authorization on the PPR resume endpoint so that unauthenticated POST requests with Next-Resume:1 are rejected before any buffering or decompression occurs.

prevent

Requires validation of request-body size and decompressed output length, directly blocking the unbounded Buffer.concat and inflateSync operations that cause heap exhaustion.

prevent

Mandates technical safeguards that limit the effects of resource-exhaustion DoS attacks against publicly reachable endpoints such as the PPR resume handler.

References