GHSA-h27x-g6w4-24gq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h27x-g6w4-24gq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-h27x-g6w4-24gq/GHSA-h27x-g6w4-24gq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-h27x-g6w4-24gq
- Aliases
- Published
- 2026-03-17T16:16:49Z
- Modified
- 2026-03-19T18:48:06.587119Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Next.js: Unbounded postponed resume buffering can lead to DoS
- Details
-
Summary
A request containing the
next-resume: 1header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcingmaxPostponedStateSizein certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior.Impact
In applications using the App Router with Partial Prerendering capability enabled (via
experimental.pprorcacheComponents), an attacker could send oversizednext-resumePOST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service.Patches
Fixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded.
Workarounds
If upgrade is not immediately possible: - Block requests containing the
next-resumeheader, as this is never valid to be sent from an untrusted client. - Database specific
{ "github_reviewed_at": "2026-03-17T16:16:49Z", "nvd_published_at": "2026-03-18T01:16:04Z", "cwe_ids": [ "CWE-770" ], "severity": "MODERATE", "github_reviewed": true }- References
Affected packages
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next