Fluid Attacks Database

Description

A flaw was found in Next.js. Applications utilizing Partial Prerendering via the Cache Components feature are susceptible to connection exhaustion. A remote attacker can send crafted POST requests to a server action, triggering a request-body handling deadlock. This leaves connections open, consuming server resources and ultimately leading to a Denial of Service (DoS) for legitimate users.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	next	>=15.0.0 <15.5.16 \|\| >=16.0.0 <16.2.5	15.5.16, 16.2.5
rpm rhel10	firefox	-	-
rpm rhel7	firefox	-	-
rpm rhel8	firefox	-	-
rpm rhel9	firefox	-	-
rpm rhel10	thunderbird	-	-
rpm rhel8	thunderbird	-	-
rpm rhel9	thunderbird	-	-

Aliases

1. CVE-2026-445792. NVD-2026-445793. OSV-2026-445794. GHSA-mg66-mrh9-m8jx5. GCVE-2026-44579

References

1. https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx2. https://github.com/vercel/next.js/releases/tag/v15.5.163. https://github.com/vercel/next.js/releases/tag/v16.2.5