Next.js PPR: When 'Minimal Mode' Maximizes Your Downtime
Vulnerability ID: CVE-2025-59472
CVSS Score: 5.9
Published: 2026-01-28
A Denial of Service (DoS) vulnerability exists in Next.js versions utilizing Partial Prerendering (PPR) in 'minimal mode'. An unauthenticated attacker can exploit the 'resume' endpoint by sending an unbounded or maliciously compressed POST body, leading to a heap out-of-memory (OOM) crash via either unchecked buffer concatenation or a decompression bomb.
TL;DR
Next.js 'minimal mode' with PPR enabled listened to resume requests without size limits. Attackers could send massive payloads or zipbombs, causing the Node.js process to run out of memory and crash instantly.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-400 (Uncontrolled Resource Consumption)
- Attack Vector: Network (POST Request)
- CVSS: 5.9 (Medium)
- Impact: Denial of Service (OOM Crash)
- EPSS Score: 0.0004
- Vulnerable Config: Minimal Mode + PPR
Affected Systems
- Next.js 15.x < 15.6.0-canary.61
- Next.js 16.x < 16.1.5
-
Next.js: 15.0.0 - 15.6.0-canary.60 (Fixed in:
15.6.0-canary.61) -
Next.js: 16.0.0 - 16.1.4 (Fixed in:
16.1.5)
Mitigation Strategies
- Update Next.js to patched versions immediately.
- Disable
NEXT_PRIVATE_MINIMAL_MODEenvironment variable if not strictly necessary. - Block
Next-ResumeHTTP header at the WAF/Edge level for public traffic. - Configure
experimental.maxPostponedStateSizeinnext.config.jsif default limits are too restrictive for legitimate use cases.
Remediation Steps:
- Check
package.jsonfornextversion. - Run
npm install next@latestoryarn add next@latest. - Verify the installed version is >= 16.1.5 or >= 15.6.0-canary.61.
- Redeploy the application to invalidating the vulnerable runtime.
References
Read the full report for CVE-2025-59472 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)