[GHSA-5f7q-jpqc-wp7h] Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

[ivanjoe]

Updates

• Affected products

Comments
According to the references below, the versions 15.5.10, 15.5.11, 15.6.0-canary.61 contain the patch agains the vulnerabilities.
https://nvd.nist.gov/vuln/detail/CVE-2025-59472
https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472

[github]

Hi there @andresriancho! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[cylewaitforit]

15.5.10 is still not a resolution for this but 15.5.11 is.

I closed #6742 thinking it was a duplicate of this but I believe it is probably the more accurate update.

[icyJoseph]

CVE-2025-59472 only affects applications running with the experimental.ppr: true or cacheComponents: true configuration options and NEXT_PRIVATE_MINIMAL_MODE=1 as an environment variable.

Vulnerability to CVE-2025-59472 in v15 apps only happens in 15-canary.x versions - experimental.ppr was only available in the canaries for v15

[helixplant]

Hi,
We understand the confusion around the version ranges for CVE-2025-59472.
After discussing with the Next.js team, we can confirm that CVE-2025-59472 is patched in versions 15.6.0-canary.61 and 16.1.5. The advisory currently reflects the correct patched versions.
For additional reference, CVE-2025-59471 is patched in versions 15.5.10 and 16.1.5.
Please let us know if you have any other questions.

#6736
#6740
#6745
#6742

[cylewaitforit]

@helixplant Please re-review v15.5.11 as it was released later and states that it backports fixes from v15.6.0-canary.61.

[ztanner]

@cylewaitforit 👋 Next.js maintainer here!

v15.5.11 does not contain any security fixes, it was just a regular release for important bugfixes.

PPR on stable versions of v15 would throw an error if you attempted to use it as it was only intended for our pre-release (canary) channel. Hence we did not backport that fix to a v15 release.

[cylewaitforit]

Thanks @ztanner that is helpful context and if the stable versions were never vulnerable to this then it would confirm that the current versions in this advisory still need adjusting.

As it stands at the moment if a repo is on v15.5.11 or v15.5.10 or any of the other previous stable versions in 15 they would be seeing this advisory, as I am seeing it on v15.5.10. That is because semantically they are all lower than 15.6.0-canary.61 which is currently the lowest listed patched version.