CVE-2026-27979

Description

## Summary A request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. ## Impact In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. ## Patches Fixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. ## Workarounds If upgrade is not immediately possible: - Block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client.

How to fix CVE-2026-27979

To remediate CVE-2026-27979, upgrade the affected package to a fixed version below.

• —upgrade to 16.1.7 or later

Is CVE-2026-27979 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 16.0.1, < 16.1.7

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-27979
• PATCHgithub.com/vercel/next.js
• WEBgithub.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1
• WEBgithub.com/vercel/next.js/releases/tag/v16.1.7