Next.js PPR Denial of Service via Unbounded Memory Allocation (CVE-2025-59472)

Vulnerability Type: Denial of Service (DoS) CVE ID: CVE-2025-59472 Vulnerability Details: - Exists in Next.js's Partial Prerendering (PPR) feature. - When the application runs in minimal mode and PPR is enabled, the PPR restore endpoint accepts unauthorized POST requests and processes attacker-controlled delay state data. - This vulnerability causes service crashes by exhausting memory. It involves two related issues: - Unbounded request body caching: The server uses to pull the entire POST request body into memory without any size limits, allowing attackers to send arbitrarily large payloads that exhaust available memory. - Unbounded decompression ("decompression bomb"): The restored data cache uses for decompression, with no limit on the size of the decompressed output. A small compressed payload can expand to hundreds of megabytes or gigabytes, leading to memory exhaustion. - Both attack vectors result in a fatal V8 memory overflow error (fatal error: heap allocation failed — JavaScript heap out of memory), causing the Node.js process to terminate. The decompression bomb is especially dangerous, as it can bypass reverse proxy request size limits while still triggering massive memory allocation on the server. - To be affected, your application must be running with or configuration, along with the environment variable. - It is strongly recommended to upgrade to or to mitigate the risk and prevent availability issues in your Next.js application. Affected and Patched Versions: - Affected versions include a wide range from to versions. - The vulnerability has been patched in subsequent releases of the respective major versions (e.g., fixes , etc.), establishing a direct fix relationship. Security Rating: CVSS v3 base metrics indicate a severity score of 5.9/10 (Medium). Attack vector: Network; Attack complexity: High; Privileges required: None; User interaction: None; Scope: Unchanged; Confidentiality impact: None; Integrity impact: None; Availability impact: High. Details: - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Release Date: - This report was published by andr.rentvore four hours ago, with vulnerability ID GHSA-5fl79-q0jc-wplh.

Goal Reached Thanks to every supporter — we hit 100%!

Next.js PPR Denial of Service via Unbounded Memory Allocation (CVE-2025-59472)

More from this source