CVE-2026-44579

Next.js: Denial of Service via connection exhaustion in applications using Cache Components

Assigner: GitHub_M
Reserved: 06.05.2026 Published: 13.05.2026 Updated: 13.05.2026

Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	vercel
Product	next.js
Versions	Version >= 16.0.0, < 16.2.5 is affected Version >= 15.0.0, < 15.5.16 is affected

Vendor

vercel

Product

next.js

Versions

Version >= 16.0.0, < 16.2.5 is affected
Version >= 15.0.0, < 15.5.16 is affected

References

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE

CVE-2026-44579 PUBLISHED

Next.js: Denial of Service via connection exhaustion in applications using Cache Components

Metrics

Product Status

References

Problem Types