CVE-2025-59472
Published: 26 January 2026
Summary
CVE-2025-59472 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Vercel Next.Js. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.
Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.
The team can analyze and respond to resource exhaustion incidents, reducing the impact of attacks that exploit uncontrolled consumption weaknesses.
Timely maintenance support and spare parts enable rapid recovery from failures induced by uncontrolled resource consumption, shortening the impact window of denial-of-service attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated exploitation of public-facing Next.js PPR endpoint enabling application-layer DoS via resource exhaustion.
NVD Description
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely…
more
related vulnerabilities allow an attacker to crash the server process through memory exhaustion: 1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory. 2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion. Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server. To be affected you must have an application running with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable. Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Deeper analysisAI
CVE-2025-59472 is a denial-of-service vulnerability in Next.js versions configured with Partial Prerendering (PPR) enabled via `experimental.ppr: true` or `cacheComponents: true`, and running in minimal mode with the `NEXT_PRIVATE_MINIMAL_MODE=1` environment variable. The issue stems from the PPR resume endpoint, which accepts unauthenticated POST requests bearing the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two related flaws enable server crashes through memory exhaustion: unbounded buffering of the entire POST request body using `Buffer.concat()` without size limits, and unbounded decompression of the resume data cache via `inflateSync()`, which permits zipbomb payloads that expand small inputs into hundreds of megabytes or gigabytes.
An unauthenticated network attacker can exploit this by sending crafted POST requests to the resume endpoint. Large payloads directly exhaust memory during buffering, while compressed zipbombs evade reverse proxy size limits yet trigger massive decompression on the server. In both cases, the result is a fatal V8 out-of-memory error ("FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory"), terminating the Node.js process and disrupting service availability. The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-400 (Uncontrolled Resource Consumption).
The Next.js security advisory at https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h recommends upgrading to version 15.6.0-canary.61 or 16.1.5 to mitigate the risks and prevent availability issues in affected applications.
Details
- CWE(s)