AI description
CVE-2026-44579 is a recently identified Denial of Service (DoS) vulnerability impacting Next.js applications that utilize Cache Components for Partial Prerendering. This flaw can be triggered by malicious POST requests, which lead to a request-body handling deadlock. The deadlock causes server connections to remain open indefinitely, ultimately exhausting file descriptors and overall server capacity. As a temporary mitigation, Vercel advises blocking all incoming requests containing the `Next-Resume` header at the edge layer for teams unable to apply patches immediately.
- Description
- Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- next.js
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
- security-advisories@github.com
- CWE-770
- Hype score
- Not currently trending
直近のNext.jsのリリースで対応された脆弱性は記事を見るにこのあたりのことかな👀 CVE-2026-44574 CVE-2026-44575 CVE-2026-23870 CVE-2026-44578 CVE-2026-44579 Multiple Critical Vulnerabilities Patched in Next.js and React Server Components https://
@oTheRwoRldy
14 May 2026
260 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 High - Next.js Multiple Vulnerabilities (CVE-2026-44573, CVE-2026-44574, CVE-2026-44575, CVE-2026-44578, CVE-2026-44579, CVE-2026-45109) Multiple issues were identified in Next.js affecting App Router, Pages Router, Server Components, WebSockets, and caching mechanisms. The
@UpwindMDR
11 May 2026
91 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Next.js v16.2.4 Security PoC Collection CVE-2026-23870 CVE-2026-44575 CVE-2026-44579 CVE-2026-44574 CVE-2026-44578 CVE-2026-44573 CVE-2026-44581 CVE-2026-44580 CVE-2026-44577 CVE-2026-44576 CVE-2026-44582 CVE-2026-44572 https://t.co/255KwkLd0c via: Pr0xy
@Psycho10k_
11 May 2026
1975 Impressions
8 Retweets
43 Likes
28 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "1816CFE7-5E48-40EB-8BB8-F640A1F1C3ED",
"versionEndExcluding": "15.5.16",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "27C5CF7A-7A33-4BE4-B8FD-10BFD813204A",
"versionEndExcluding": "16.2.5",
"versionStartIncluding": "16.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]