Vulnerability Database

346,508

Total vulnerabilities in the database

CVE-2025-59472 — vercel / next.js

Uncontrolled Resource Consumption

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

  1. Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

  2. Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected you must have an application running with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

CVSS v3:

  • Severity: Medium
  • Score: 5.9
  • AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

Software From Fixed in
vercel / next.js 15.0.0 15.6.0
vercel / next.js 16.0.0 16.1.5
vercel / next.js 15.6.0 15.6.0.x
vercel / next.js 15.6.0-canary0 15.6.0-canary0.x
vercel / next.js 15.6.0-canary1 15.6.0-canary1.x
vercel / next.js 15.6.0-canary10 15.6.0-canary10.x
vercel / next.js 15.6.0-canary11 15.6.0-canary11.x
vercel / next.js 15.6.0-canary12 15.6.0-canary12.x
vercel / next.js 15.6.0-canary13 15.6.0-canary13.x
vercel / next.js 15.6.0-canary14 15.6.0-canary14.x
vercel / next.js 15.6.0-canary15 15.6.0-canary15.x
vercel / next.js 15.6.0-canary16 15.6.0-canary16.x
vercel / next.js 15.6.0-canary17 15.6.0-canary17.x
vercel / next.js 15.6.0-canary18 15.6.0-canary18.x
vercel / next.js 15.6.0-canary19 15.6.0-canary19.x
vercel / next.js 15.6.0-canary2 15.6.0-canary2.x
vercel / next.js 15.6.0-canary20 15.6.0-canary20.x
vercel / next.js 15.6.0-canary21 15.6.0-canary21.x
vercel / next.js 15.6.0-canary22 15.6.0-canary22.x
vercel / next.js 15.6.0-canary23 15.6.0-canary23.x
vercel / next.js 15.6.0-canary24 15.6.0-canary24.x
vercel / next.js 15.6.0-canary25 15.6.0-canary25.x
vercel / next.js 15.6.0-canary26 15.6.0-canary26.x
vercel / next.js 15.6.0-canary27 15.6.0-canary27.x
vercel / next.js 15.6.0-canary28 15.6.0-canary28.x
vercel / next.js 15.6.0-canary29 15.6.0-canary29.x
vercel / next.js 15.6.0-canary3 15.6.0-canary3.x
vercel / next.js 15.6.0-canary30 15.6.0-canary30.x
vercel / next.js 15.6.0-canary31 15.6.0-canary31.x
vercel / next.js 15.6.0-canary32 15.6.0-canary32.x
vercel / next.js 15.6.0-canary33 15.6.0-canary33.x
vercel / next.js 15.6.0-canary34 15.6.0-canary34.x
vercel / next.js 15.6.0-canary35 15.6.0-canary35.x
vercel / next.js 15.6.0-canary36 15.6.0-canary36.x
vercel / next.js 15.6.0-canary37 15.6.0-canary37.x
vercel / next.js 15.6.0-canary38 15.6.0-canary38.x
vercel / next.js 15.6.0-canary39 15.6.0-canary39.x
vercel / next.js 15.6.0-canary4 15.6.0-canary4.x
vercel / next.js 15.6.0-canary40 15.6.0-canary40.x
vercel / next.js 15.6.0-canary41 15.6.0-canary41.x
vercel / next.js 15.6.0-canary42 15.6.0-canary42.x
vercel / next.js 15.6.0-canary43 15.6.0-canary43.x
vercel / next.js 15.6.0-canary44 15.6.0-canary44.x
vercel / next.js 15.6.0-canary45 15.6.0-canary45.x
vercel / next.js 15.6.0-canary46 15.6.0-canary46.x
vercel / next.js 15.6.0-canary47 15.6.0-canary47.x
vercel / next.js 15.6.0-canary48 15.6.0-canary48.x
vercel / next.js 15.6.0-canary49 15.6.0-canary49.x
vercel / next.js 15.6.0-canary5 15.6.0-canary5.x
vercel / next.js 15.6.0-canary50 15.6.0-canary50.x
vercel / next.js 15.6.0-canary51 15.6.0-canary51.x
vercel / next.js 15.6.0-canary52 15.6.0-canary52.x
vercel / next.js 15.6.0-canary53 15.6.0-canary53.x
vercel / next.js 15.6.0-canary54 15.6.0-canary54.x
vercel / next.js 15.6.0-canary55 15.6.0-canary55.x
vercel / next.js 15.6.0-canary56 15.6.0-canary56.x
vercel / next.js 15.6.0-canary57 15.6.0-canary57.x
vercel / next.js 15.6.0-canary58 15.6.0-canary58.x
vercel / next.js 15.6.0-canary59 15.6.0-canary59.x
vercel / next.js 15.6.0-canary6 15.6.0-canary6.x
vercel / next.js 15.6.0-canary60 15.6.0-canary60.x
vercel / next.js 15.6.0-canary7 15.6.0-canary7.x
vercel / next.js 15.6.0-canary8 15.6.0-canary8.x
vercel / next.js 15.6.0-canary9 15.6.0-canary9.x
Node.js icon next 16.0.0-beta.0 16.1.5
Node.js icon next 15.6.0-canary.0 15.6.0-canary.61
Node.js icon next 15.0.0-canary.0 15.0.0-canary.205.x
Node.js icon next 15.0.1-canary.0 15.0.1-canary.3.x
Node.js icon next 15.0.2-canary.0 15.0.2-canary.11.x
Node.js icon next 15.0.3-canary.0 15.0.3-canary.9.x
Node.js icon next 15.0.4-canary.0 15.0.4-canary.52.x
Node.js icon next 15.1.1-canary.0 15.1.1-canary.27.x
Node.js icon next 15.2.0-canary.0 15.2.0-canary.77.x
Node.js icon next 15.2.1-canary.0 15.2.1-canary.6.x
Node.js icon next 15.2.2-canary.0 15.2.2-canary.7.x
Node.js icon next 15.3.0-canary.0 15.3.0-canary.46.x
Node.js icon next 15.3.1-canary.0 15.3.1-canary.15.x
Node.js icon next 15.4.0-canary.0 15.4.0-canary.130.x
Node.js icon next 15.4.2-canary.0 15.4.2-canary.56.x
Node.js icon next 15.5.1-canary.0 15.5.1-canary.39.x

Frequently Asked Questions

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.