GHSA-mg66-mrh9-m8jx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mg66-mrh9-m8jx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-mg66-mrh9-m8jx/GHSA-mg66-mrh9-m8jx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mg66-mrh9-m8jx
- Aliases
-
- CVE-2026-44579
- Related
- Published
- 2026-05-11T15:56:24Z
- Modified
- 2026-05-13T03:44:32.502843167Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
- Details
-
Impact
Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service.
Fix
We now treat the header used for resuming Partial Prerendered requests as an internal-only header and strip it from untrusted incoming requests. This header should never be accepted directly from external clients.
Workarounds
If you cannot upgrade immediately, block requests that would be handled by Next.js if they contain the
Next-Resumeheader at the edge. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-11T15:56:24Z", "cwe_ids": [ "CWE-770" ], "severity": "HIGH", "nvd_published_at": null }- References
Affected packages
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next