Listen to this Post
How the CVE works:
This vulnerability affects Next.js applications with Experimental Partial Prerendering (PPR) enabled and running in minimal mode via the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable. The PPR feature introduces a resume endpoint (_next/resume) that accepts unauthenticated POST requests when accompanied by the “Next-Resume: 1” header. This endpoint processes attacker-controlled postponed state data. The first attack vector involves unbounded request body buffering: the server uses Buffer.concat() to accumulate the entire POST request body into a single Buffer instance without enforcing any maximum size limit. An attacker can send an arbitrarily large payload, causing the Node.js process to allocate excessive memory and exhaust the heap. The second vector is unbounded decompression: the server uses zlib.inflateSync() to decompress cached resume data without limiting the output size. An attacker can craft a small, highly compressed payload (a zipbomb) that decompresses to hundreds of megabytes or gigabytes, again leading to massive memory allocation. Both methods trigger a V8 JavaScript heap limit fatal error (“FATAL ERROR: Reached heap limit Allocation failed – JavaScript heap out of memory”), forcing the Node.js process to terminate abruptly. The zipbomb variant is particularly effective as it can bypass common reverse proxy request size limits while still causing catastrophic memory consumption on the target server. The vulnerability is present in code paths handling PPR resume data when both experimental.ppr: true (or cacheComponents: true) and minimal mode are active.
Platform: Next.js
Version: PPR-enabled minimal mode
Vulnerability: Denial of Service
Severity: Critical
date: 2024-10-15
Prediction: Patched in 15.6.0-canary.61
What Undercode Say:
Analytics
Check if PPR is enabled in configuration
grep -r "experimental.ppr|cacheComponents" next.config.js
Check for minimal mode environment variable
echo $NEXT_PRIVATE_MINIMAL_MODE
Simulate malicious request with large body
curl -X POST -H "Next-Resume: 1" --data-binary @/dev/zero http://localhost:3000/_next/resume
Example vulnerable code snippet (buffering)
const chunks = [];
req.on('data', chunk => chunks.push(chunk));
req.on('end', () => {
const body = Buffer.concat(chunks); // No size limit
});
Example vulnerable code snippet (decompression)
const zlib = require('zlib');
const decompressed = zlib.inflateSync(compressedData); // No output limit
How Exploit:
Craft POST requests to /_next/resume with Next-Resume: 1 header. Send either an extremely large raw body or a small compressed zipbomb payload. The server buffers or decompresses without limits, crashing via out-of-memory error.
Protection from this CVE
Upgrade to Next.js 15.6.0-canary.61 or 16.1.5+. Disable PPR or minimal mode if unnecessary. Implement request size limits at reverse proxy layer. Monitor memory usage.
Impact:
Server process termination. Complete application downtime. Denial of service availability impact.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

