CVE-2025-59472
Published: 26 January 2026
Summary
CVE-2025-59472 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Vercel Next.Js. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-59472 is a denial-of-service vulnerability in Next.js versions configured with Partial Prerendering (PPR) enabled via `experimental.ppr: true` or `cacheComponents: true`, and running in minimal mode with the `NEXT_PRIVATE_MINIMAL_MODE=1` environment variable. The issue stems from the PPR resume endpoint, which accepts unauthenticated POST requests bearing the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two related flaws enable server crashes through memory exhaustion: unbounded buffering of the entire POST request body using `Buffer.concat()` without size limits, and unbounded decompression of the resume data cache via `inflateSync()`, which permits zipbomb payloads that expand small inputs into hundreds of megabytes or gigabytes.
An unauthenticated network attacker can exploit this by sending crafted POST requests to the resume endpoint. Large payloads directly exhaust memory during buffering, while compressed zipbombs evade reverse proxy size limits yet trigger massive decompression on the server. In both cases, the result is a fatal V8 out-of-memory error ("FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory"), terminating the Node.js process and disrupting service availability. The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-400 (Uncontrolled Resource Consumption).
The Next.js security advisory at https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h recommends upgrading to version 15.6.0-canary.61 or 16.1.5 to mitigate the risks and prevent availability issues in affected applications.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206333
Vulnerability details
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely…
more
related vulnerabilities allow an attacker to crash the server process through memory exhaustion: 1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory. 2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion. Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server. To be affected you must have an application running with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable. Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated exploitation of public-facing Next.js PPR endpoint enabling application-layer DoS via resource exhaustion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authentication/authorization on the PPR resume endpoint so that unauthenticated POST requests with Next-Resume:1 are rejected before any buffering or decompression occurs.
Requires validation of request-body size and decompressed output length, directly blocking the unbounded Buffer.concat and inflateSync operations that cause heap exhaustion.
Mandates technical safeguards that limit the effects of resource-exhaustion DoS attacks against publicly reachable endpoints such as the PPR resume handler.