Resource exhaustion in Vercel Next.js

CVE-2026-27979

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request…

EPSS: 0.000 (5.8th percentile) — read the EPSS interpretation.

Affected products

Vercel Next.js — versions >= 16.0.1, < 16.1.7

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq (x_refsource_CONFIRM)
https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1 (x_refsource_MISC)
https://github.com/vercel/next.js/releases/tag/v16.1.7 (x_refsource_MISC)