Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/22284?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22284?format=api", "vulnerability_id": "VCID-wng9-23mc-mbcj", "summary": "Next.js has Unbounded Memory Consumption via PPR Resume Endpoint\nA denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:\n\n1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.\n\n2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.\n\nBoth attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.\n\nTo be affected, an application must run with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.\n\nStrongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.", "aliases": [ { "alias": "CVE-2025-59472" }, { "alias": "GHSA-5f7q-jpqc-wp7h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72461?format=api", "purl": "pkg:npm/next@15.6.0-canary.61", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.61" }, { "url": "http://public2.vulnerablecode.io/api/packages/72434?format=api", "purl": "pkg:npm/next@16.1.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71715?format=api", "purl": "pkg:npm/next@15.0.0-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-g3kg-qq58-pyfr" }, { "vulnerability": "VCID-j82n-pcf9-qufa" }, { "vulnerability": "VCID-ufez-zfgj-zkck" }, { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.0-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72463?format=api", "purl": "pkg:npm/next@15.0.0-canary.205", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.0-canary.205" }, { "url": "http://public2.vulnerablecode.io/api/packages/72464?format=api", "purl": "pkg:npm/next@15.0.1-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.1-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72465?format=api", "purl": "pkg:npm/next@15.0.1-canary.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.1-canary.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/72466?format=api", "purl": "pkg:npm/next@15.0.2-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.2-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72467?format=api", "purl": "pkg:npm/next@15.0.2-canary.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.2-canary.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/72468?format=api", "purl": "pkg:npm/next@15.0.3-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.3-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72469?format=api", "purl": "pkg:npm/next@15.0.3-canary.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.3-canary.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/72470?format=api", "purl": "pkg:npm/next@15.0.4-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.4-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72471?format=api", "purl": "pkg:npm/next@15.0.4-canary.52", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.4-canary.52" }, { "url": "http://public2.vulnerablecode.io/api/packages/71716?format=api", "purl": "pkg:npm/next@15.1.1-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gwze-eqvs-dqbu" }, { "vulnerability": "VCID-j82n-pcf9-qufa" }, { "vulnerability": "VCID-ufez-zfgj-zkck" }, { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.1-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72472?format=api", "purl": "pkg:npm/next@15.1.1-canary.27", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.1-canary.27" }, { "url": "http://public2.vulnerablecode.io/api/packages/71528?format=api", "purl": "pkg:npm/next@15.2.0-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gwze-eqvs-dqbu" }, { "vulnerability": "VCID-j82n-pcf9-qufa" }, { "vulnerability": "VCID-nmag-ygw8-6bca" }, { "vulnerability": "VCID-ufez-zfgj-zkck" }, { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.0-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72473?format=api", "purl": "pkg:npm/next@15.2.0-canary.77", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.0-canary.77" }, { "url": "http://public2.vulnerablecode.io/api/packages/72474?format=api", "purl": "pkg:npm/next@15.2.1-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.1-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72475?format=api", "purl": "pkg:npm/next@15.2.1-canary.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.1-canary.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/72476?format=api", "purl": "pkg:npm/next@15.2.2-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.2-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72477?format=api", "purl": "pkg:npm/next@15.2.2-canary.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.2-canary.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/71529?format=api", "purl": "pkg:npm/next@15.3.0-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gwze-eqvs-dqbu" }, { "vulnerability": "VCID-j82n-pcf9-qufa" }, { "vulnerability": "VCID-nmag-ygw8-6bca" }, { "vulnerability": "VCID-ufez-zfgj-zkck" }, { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.0-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72478?format=api", "purl": "pkg:npm/next@15.3.0-canary.46", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.0-canary.46" }, { "url": "http://public2.vulnerablecode.io/api/packages/72479?format=api", "purl": "pkg:npm/next@15.3.1-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.1-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72480?format=api", "purl": "pkg:npm/next@15.3.1-canary.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.1-canary.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/71530?format=api", "purl": "pkg:npm/next@15.4.0-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gwze-eqvs-dqbu" }, { "vulnerability": "VCID-j82n-pcf9-qufa" }, { "vulnerability": "VCID-nmag-ygw8-6bca" }, { "vulnerability": "VCID-ufez-zfgj-zkck" }, { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.0-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72481?format=api", "purl": "pkg:npm/next@15.4.0-canary.130", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.0-canary.130" }, { "url": "http://public2.vulnerablecode.io/api/packages/72482?format=api", "purl": "pkg:npm/next@15.4.2-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.2-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72483?format=api", "purl": "pkg:npm/next@15.4.2-canary.56", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.2-canary.56" }, { "url": "http://public2.vulnerablecode.io/api/packages/71717?format=api", "purl": "pkg:npm/next@15.5.1-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gwze-eqvs-dqbu" }, { "vulnerability": "VCID-j82n-pcf9-qufa" }, { "vulnerability": "VCID-ufez-zfgj-zkck" }, { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.1-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/72484?format=api", "purl": "pkg:npm/next@15.5.1-canary.39", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.1-canary.39" }, { "url": "http://public2.vulnerablecode.io/api/packages/71718?format=api", "purl": "pkg:npm/next@15.6.0-canary.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-862r-7dj2-pqfs" }, { "vulnerability": "VCID-gwze-eqvs-dqbu" }, { "vulnerability": "VCID-j82n-pcf9-qufa" }, { "vulnerability": "VCID-ufez-zfgj-zkck" }, { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/71719?format=api", "purl": "pkg:npm/next@16.0.0-beta.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-17m1-4fa4-tbc2" }, { "vulnerability": "VCID-b2pe-mbfy-7qfj" }, { "vulnerability": "VCID-f9ss-q91c-mbdh" }, { "vulnerability": "VCID-gwze-eqvs-dqbu" }, { "vulnerability": "VCID-j82n-pcf9-qufa" }, { "vulnerability": "VCID-ufez-zfgj-zkck" }, { "vulnerability": "VCID-wng9-23mc-mbcj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.0-beta.0" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59472.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59472.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59472", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35225", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59472" }, { "reference_url": "https://github.com/vercel/next.js", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/vercel/next.js" }, { "reference_url": "https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433092", "reference_id": "2433092", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433092" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59472", "reference_id": "CVE-2025-59472", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59472" }, { "reference_url": "https://github.com/advisories/GHSA-5f7q-jpqc-wp7h", "reference_id": "GHSA-5f7q-jpqc-wp7h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5f7q-jpqc-wp7h" }, { "reference_url": "https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h", "reference_id": "GHSA-5f7q-jpqc-wp7h", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T14:52:42Z/" } ], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h" } ], "weaknesses": [ { "cwe_id": 400, "name": "Uncontrolled Resource Consumption", "description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources." }, { "cwe_id": 409, "name": "Improper Handling of Highly Compressed Data (Data Amplification)", "description": "The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output." }, { "cwe_id": 770, "name": "Allocation of Resources Without Limits or Throttling", "description": "The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "4.0 - 6.9", "exploitability": "0.5", "weighted_severity": "6.2", "risk_score": 3.1, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wng9-23mc-mbcj" }