Platform
nodejs
Component
next
Fixed in
15.0.0
15.0.1
15.0.2
15.0.3
15.0.4
15.1.0
15.1.1
15.1.2
15.1.3
15.1.4
15.1.5
15.1.6
15.1.7
15.2.0
15.2.1
15.2.2
15.2.3
15.2.4
15.2.5
15.3.0
15.3.1
15.3.2
15.1.8
15.3.3
15.4.0
15.3.4
15.3.5
15.4.1
15.4.2
15.4.3
15.4.4
15.4.5
15.4.6
15.4.7
15.5.0
15.5.1
15.5.2
15.5.3
15.5.4
15.5.5
15.5.6
15.5.7
15.4.8
15.1.9
15.0.5
15.3.6
15.2.6
15.5.8
15.4.9
15.3.7
15.2.7
15.1.10
15.0.6
15.5.9
15.4.10
15.3.8
15.2.8
15.1.11
15.0.7
16.1.5
15.6.1
16.1.6
15.6.0-canary.61
16.1.5
CVE-2025-59472 describes a denial-of-service vulnerability within Next.js, specifically when Partial Prerendering (PPR) is enabled in minimal mode. This flaw allows an attacker to crash the server process by exploiting memory exhaustion through the PPR resume endpoint. The vulnerability impacts Next.js versions prior to 16.1.5 and requires the Next-Resume: 1 header to be present in unauthenticated POST requests.
The core of this vulnerability lies in the server's handling of POST requests to the PPR resume endpoint. The server buffers the entire request body into memory using Buffer.concat() without imposing any size limitations. An attacker can leverage this by sending arbitrarily large payloads, effectively exhausting the server's memory resources and leading to a denial-of-service. This crash can disrupt service availability for legitimate users and potentially impact the application's overall stability. The lack of size limits makes this a particularly dangerous vulnerability, as even relatively small, crafted payloads can trigger the memory exhaustion.
CVE-2025-59472 was published on 2026-01-28. There is currently no public proof-of-concept (PoC) available, and no confirmed exploitation in the wild. The EPSS score is pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59472 is to upgrade to Next.js version 16.1.5 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds. One approach is to introduce a maximum size limit for POST request bodies at the reverse proxy level (e.g., Nginx, Apache) before they reach the Next.js server. Another workaround involves implementing input validation within the Next.js application to reject excessively large requests. Monitoring server memory usage is also crucial to detect potential attacks.
Update Next.js to version 15.6.0-canary.61 or higher, or to version 16.1.5 or higher. This corrects the denial of service vulnerability caused by insecure data handling in the PPR resume endpoint. Ensure you disable `experimental.ppr: true` or `cacheComponents: true` and remove the environment variable `NEXT_PRIVATE_MINIMAL_MODE=1` if you cannot update immediately.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59472 is a denial-of-service vulnerability in Next.js versions with PPR enabled, allowing attackers to crash the server by exhausting memory resources through large POST requests.
You are affected if you are using Next.js versions prior to 16.1.5 and have Partial Prerendering (PPR) enabled in minimal mode.
Upgrade to Next.js version 16.1.5 or later. As a temporary workaround, limit the size of POST request bodies at the reverse proxy level or within the Next.js application.
Currently, there is no public proof-of-concept or confirmed exploitation in the wild for CVE-2025-59472.
Refer to the official Next.js security advisory for details: [https://github.com/vercel/next.js/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/vercel/next.js/security/advisories/GHSA-xxxx-xxxx-xxxx) (replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.