54 matches found
Allocation of Resources Without Limits or Throttling
Overview next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the unbounded postponed resume-body buffering behavior of the next-resume: 1 header. An attacker can cause excessive memory usage and disrupt service...
PT-2026-25969
Name of the Vulnerable Software and Affected Versions Next.js versions 16.0.1 through 16.1.6 Description Next.js, a React framework for building full-stack web applications, is affected by an issue where requests containing the next-resume: 1 header can lead to excessive memory usage and potentia...
Next.js Framework 15.x < 15.6.0-canary.61 / 16.x < 16.1.5 PPR Resume Endpoint DoS (GHSA-5f7q-jpqc-wp7h)
The Next.js Framework on the remote host is affected by a denial of service vulnerability: - A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the...
EUVD-2025-206333
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint...
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint
A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...
GHSA-5F7Q-JPQC-WP7H Next.js has Unbounded Memory Consumption via PPR Resume Endpoint
A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...
Denial Of Service (DoS)
Next.js is vulnerable to a Denial of Service DoS vulnerability. The vulnerability is due to unbounded request body buffering and unbounded decompression in the Partial Prerendering PPR resume endpoint, which allows an attacker to send specially crafted unauthenticated POST requests or compressed...
Linux Distros Unpatched Vulnerability : CVE-2025-59472
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts...
Allocation of Resources Without Limits or Throttling
Overview next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Partial Prerendering resume endpoint when unauthenticated POST requests with the Next-Resume: 1 header are processed and attacker-controlled postpon...
CVE-2025-59472
A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...
CVE-2025-59472
A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...
CVE-2025-59472
A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...
CVE-2025-59472
A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...
CVE-2025-59472
A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...
CVE-2025-59472
CVE-2025-59472 concerns Next.js; vulnerable when Partial Prerendering (PPR) is enabled in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two concrete memory-exhaustion vectors are d...
PT-2026-4817
Name of the Vulnerable Software and Affected Versions Next.js versions with experimental.ppr: true or cacheComponents: true configured along with the NEXT PRIVATE MINIMAL MODE=1 environment variable Description A denial of service issue exists in Next.js when Partial Prerendering PPR is enabled i...
Server-Side Request Forgery (SSRF)
SvelteKit is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper handling of host and origin resolution during prerendered route processing, where crafted requests can trigger internal requests or cause excessive resource usage, leading to SSRF or service disrupti...
CVE-2025-67647 SvelteKit Denial of service and possible SSRF when using prerendering
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery SSRF and denial of service DoS under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when...
CVE-2025-67647 SvelteKit Denial of service and possible SSRF when using prerendering
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery SSRF and denial of service DoS under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when...
CVE-2025-67647
CVE-2025-67647 affects SvelteKit. Before 2.49.5, it allows server-side request forgery (SSRF) and DoS under prerender conditions. From 2.44.0 to 2.49.4, a DoS can occur if at least one prerendered route exists (export const prerender = true). From 2.19.0 to 2.49.4, DoS/SSRF can occur when there i...