CVE-2026-27979
Published: 18 March 2026
Summary
CVE-2026-27979 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Vercel Next.Js. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the specific flaw in Next.js by updating to version 16.1.7, which enforces size limits on all postponed-body buffering paths to prevent unbounded memory usage.
Enforces denial-of-service protections such as request body size limits at system entry points to block oversized next-resume POST payloads causing resource exhaustion.
Implements information input restrictions including maximum POST body sizes and blocking invalid next-resume headers from untrusted clients at entry points.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated DoS via memory exhaustion from unbounded buffering of oversized POST bodies in a public-facing Next.js application; this directly maps to exploiting an application vulnerability for endpoint denial of service.
NVD Description
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize`…
more
in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client.
Deeper analysisAI
CVE-2026-27979 is a denial-of-service vulnerability in Next.js, a React framework for building full-stack web applications. It affects versions starting from 16.0.1 up to but not including 16.1.7, specifically in applications using the App Router with Partial Prerendering enabled via the `experimental.ppr` or `cacheComponents` options. The issue arises because requests containing the `next-resume: 1` header, which correspond to PPR resume requests, buffer POST request bodies without consistently enforcing the `maxPostponedStateSize` limit in non-minimal deployments. While minimal-mode deployments had prior mitigations, equivalent non-minimal setups remained susceptible to unbounded buffering of postponed resume-body data.
Any unauthenticated remote attacker can exploit this vulnerability by sending oversized `next-resume` POST payloads to a vulnerable Next.js application. This triggers excessive memory usage due to the lack of consistent size enforcement, potentially leading to denial of service through resource exhaustion. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects its high-impact availability disruption with low complexity and no privileges required.
The vulnerability is addressed in Next.js version 16.1.7, which enforces size limits across all postponed-body buffering paths and returns an error when limits are exceeded. For deployments unable to upgrade immediately, the advisory recommends blocking requests containing the `next-resume` header, as these are never valid from untrusted clients. Relevant resources include the fix commit at https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1, the release notes for v16.1.7 at https://github.com/vercel/next.js/releases/tag/v16.1.7, and the security advisory at https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq.
Details
- CWE(s)