CVE-2026-27979: Next.js: Unbounded postponed resume buffering can lead to DoS

March 17, 2026 (updated March 19, 2026)

A request containing the next-resume: 1 header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing maxPostponedStateSize in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior.

References

github.com/advisories/GHSA-h27x-g6w4-24gq
github.com/vercel/next.js
github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1
github.com/vercel/next.js/releases/tag/v16.1.7
github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq
nvd.nist.gov/vuln/detail/CVE-2026-27979

Code Behaviors & Features

Detect and mitigate CVE-2026-27979 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →