CVE-2025-59472

Опубликовано: 26 янв. 2026

Источник: nvd

CVSS3: 5.9

CVSS3: 7.5

EPSS Низкий

Описание

Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.
Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript hea

Ссылки

https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Версия от 15.0.0 (включая) до 15.6.0 (исключая)

cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Версия от 16.0.0 (включая) до 16.1.5 (исключая)

cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary58:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary59:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary60:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:*

cpe:2.3:a:vercel:next.js:15.6.0:canary9:*:*:*:node.js:*:*

EPSS

Процентиль: 25%

0.00089

Низкий

5.9 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-400

Связанные уязвимости

CVE-2025-59472

CVSS3: 5.9

redhat

2 месяца назад

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion: 1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory. 2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion. Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript hea...

GHSA-5f7q-jpqc-wp7h

CVSS3: 5.9

github

2 месяца назад

Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

EPSS

Процентиль: 25%

0.00089

Низкий

5.9 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-400