Next.js: Unbounded postponed resume buffering can lead to DoS
Summary A request containing the next-resume: 1 header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing maxPostponedStateSize in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. Impact In applications using the App Router with Partial Prerendering capability enabled (via experimental.ppr or cacheComponents), an attacker could send oversized next-resume POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. Patches Fixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. Workarounds If upgrade is not immediately possible: Block requests containing the next-resume header, as this is never valid to be sent from an untrusted client.