Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN080
_____________________________________________________________________

DATE                : 27/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running next(npm) versions prior to
                       15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11,
                       15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5.

=====================================================================
https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf
https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f
https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h
_____________________________________________________________________


Denial of Service with Server Components
High
feedthejim published GHSA-h25m-26qc-wcjf Jan 26, 2026

Package
next (npm)

Affected versions
>=13.0.0 <15.0.8, >=15.0.0 <15.6.0-canary.61, >=16.0.0 <16.1.5

Patched versions
15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 
16.0.11, 16.1.5


Description

A vulnerability affects certain React Server Components packages for 
versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the 
affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using 
the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server 
Function endpoint that, when deserialized, may trigger excessive CPU 
usage, out-of-memory exceptions, or server crashes. This can result in 
denial of service in unpatched environments.


Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2026-23864

Weaknesses
Weakness CWE-770 

_____________________________________________________________________


Denial of Service in Image Optimizer
Moderate
andresriancho published GHSA-9g9p-9gw9-jx7f Jan 26, 2026

Package
next (npm)

Affected versions
10.0.0
11.0.0
12.0.0
13.0.0
14.0.0
15.0.0
16.0.0
Patched versions
15.5.10
16.1.5
Description

A denial of service vulnerability exists in self-hosted Next.js
applications that have remotePatterns configured for the Image
Optimizer. The image optimization endpoint (/_next/image) loads
external images entirely into memory without enforcing a maximum size
limit, allowing an attacker to cause out-of-memory conditions by
requesting optimization of arbitrarily large images. This vulnerability
requires that remotePatterns is configured to allow image optimization
from external domains and that the attacker can serve or control a large
image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and
prevent availability issues in Next applications.

Severity
Moderate
5.9/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2025-59471

Weaknesses
Weakness CWE-770 

_____________________________________________________________________


Denial of Service in Partial Pre Rendering
Moderate
andresriancho published GHSA-5f7q-jpqc-wp7h Jan 26, 2026

Package
next (npm)

Affected versions
15.0.0-canary.0, 15.0.1-canary.0, 15.0.2-canary.0, 15.0.3-canary.0,
15.0.4-canary.0, 15.1.0-canary.0, 15.1.1-canary.0, 15.1.2-canary.0,
15.1.3-canary.0, 15.1.4-canary.0, 15.1.5-canary.0, 15.1.6-canary.0,
15.1.7-canary.0, 15.2.0-canary.0, 15.2.1-canary.0, 15.2.2-canary.0,
15.2.3-canary.0, 15.2.4-canary.0, 15.2.5-canary.0, 15.3.0-canary.0,
15.3.1-canary.0, 15.3.2-canary.0, 15.1.8-canary.0, 15.3.3-canary.0,
15.4.0-canary.0, 15.3.4-canary.0, 15.3.5-canary.0, 15.4.1-canary.0,
15.4.2-canary.0, 15.4.3-canary.0, 15.4.4-canary.0, 15.4.5-canary.0,
15.4.6-canary.0, 15.4.7-canary.0, 15.5.0-canary.0, 15.5.1-canary.0,
15.5.2-canary.0, 15.5.3-canary.0, 15.5.4-canary.0, 15.5.5-canary.0,
15.5.6-canary.0, 15.5.7-canary.0, 15.4.8-canary.0, 15.1.9-canary.0,
15.0.5-canary.0, 15.3.6-canary.0, 15.2.6-canary.0, 15.5.8-canary.0,
15.4.9-canary.0, 15.3.7-canary.0, 15.2.7-canary.0, 15.1.10-canary.0,
15.0.6-canary.0, 15.5.9-canary.0, 15.4.10-canary.0, 15.3.8-canary.0,
15.2.8-canary.0, 15.1.11-canary.0, 15.0.7-canary.0, 16.1.0

Patched versions
15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.1.0, 15.1.1, 15.1.2,
15.1.3, 15.1.4, 15.1.5, 15.1.6, 15.1.7, 15.2.0, 15.2.1, 15.2.2,
15.2.3, 15.2.4, 15.2.5, 15.3.0, 15.3.1, 15.3.2, 15.1.8, 15.3.3,
15.4.0, 15.3.4, 15.3.5, 15.4.1, 15.4.2, 15.4.3, 15.4.4, 15.4.5,
15.4.6, 15.4.7, 15.5.0, 15.5.1, 15.5.2, 15.5.3, 15.5.4, 15.5.5,
15.5.6, 15.5.7, 15.4.8, 15.1.9, 15.0.5, 15.3.6, 15.2.6, 15.5.8,
15.4.9, 15.3.7, 15.2.7, 15.1.10, 15.0.6, 15.5.9, 15.4.10, 15.3.8,
15.2.8, 15.1.11, 15.0.7, 16.1.5


Description

A denial of service vulnerability exists in Next.js versions with 
Partial Prerendering (PPR) enabled when running in minimal mode. The 
PPR resume endpoint accepts unauthenticated POST requests with the 
Next-Resume: 1 header and processes attacker-controlled postponed 
state data. Two closely related vulnerabilities allow an attacker to 
crash the server process through memory exhaustion:

    Unbounded request body buffering: The server buffers the entire 
POST request body into memory using Buffer.concat() without 
enforcing any size limit, allowing arbitrarily large payloads to 
exhaust available memory.

    Unbounded decompression (zipbomb): The resume data cache is 
decompressed using inflateSync() without limiting the decompressed 
output size. A small compressed payload can expand to hundreds of 
megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL 
ERROR: Reached heap limit Allocation failed - JavaScript heap out of 
memory) causing the Node.js process to terminate. The zipbomb variant 
is particularly dangerous as it can bypass reverse proxy request size 
limits while still causing large memory allocation on the server.

To be affected you must have an application running with 
experimental.ppr: true or cacheComponents: true configured along with 
the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce 
risk and prevent availability issues in Next applications.

Severity
Moderate
5.9/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2025-59472

Weaknesses
Weakness CWE-770

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================