Allocation of Resources Without Limits or Throttling

CVE-2026-44579

High

7.5/10

Summary

Next.js is a React framework for building full-stack web applications. In versions 15.0.0 prior to 15.5.16 and 16.0.0 prior to 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-770 - Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

Advisory

Advisory Timeline

Published May 13, 2026

Allocation of Resources Without Limits or Throttling

CVE-2026-44579

Summary

CWE-770 - Allocation of Resources Without Limits or Throttling

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS