CVE-2025-59472
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint
Executive Summary
CVE-2025-59472 is a high severity vulnerability affecting binary-analysis. It is classified as an undisclosed flaw. Ensure your systems and dependencies are patched immediately to mitigate exposure risks.
Precogs AI Insight
"Architecturally, this flaw occurs due to within A denial of service vulnerability, allowing the insecure processing of malicious payloads. In practice, this allows unauthorized actors to silently exfiltrate sensitive routing topologies and internal schemas. Precogs Binary SAST/DAST engine uncovers boundary violations in compiled software to flag these architectural defects instantly."
What is this vulnerability?
CVE-2025-59472 is categorized as a critical Memory Corruption Vulnerability flaw. Based on our vulnerability intelligence, this issue occurs when the application fails to securely handle untrusted data boundaries.
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint .
This architectural defect enables adversaries to bypass intended security controls, directly manipulating the application's execution state or data layer. Immediate strategic intervention is required.
Risk Assessment
| Metric | Value |
|---|---|
| CVSS Base Score | 8.1 (HIGH) |
| Vector String | N/A |
| Published | January 28, 2026 |
| Last Modified | February 6, 2026 |
| Related CWEs | N/A |
Impact on Systems
✅ Remote Code Execution: Adversaries may execute arbitrary code by overwriting memory regions.
✅ Denial of Service: Memory corruption often leads to unrecoverable application crashes.
✅ Information Disclosure: Out-of-bounds reads can expose adjacent memory containing sensitive data.
How to fix this issue?
Implement the following strategic mitigations immediately to eliminate the attack surface.
1. Memory-Safe Languages When possible, migrate parsing logic to memory-safe languages like Rust or Go.
2. Compiler Protections Ensure the binary is compiled with ASLR, DEP/NX, Stack Canaries, and RELRO.
3. Fuzz Testing Implement continuous fuzzing with AddressSanitizer (ASan) in the CI/CD pipeline.
Vulnerability Signature
// Generic Memory Corruption Vector (C/C++)
void process_input(char *user_data, size_t size) \{
char buffer[256];
// DANGEROUS: Unbounded memory operation
memcpy(buffer, user_data, size); // size may exceed 256
// SECURED: Bound-checked operation
if (size \> sizeof(buffer)) \{
size = sizeof(buffer);
\}
memcpy(buffer, user_data, size);
\}
References and Sources
Vulnerability Code Signature
Attack Data Flow
| Stage | Detail |
|---|---|
| Source | Network packet or file input |
| Vector | Data exceeds the allocated buffer bounds during a copy operation |
| Sink | strcpy(), memcpy(), or pointer arithmetic |
| Impact | Memory corruption, Remote Code Execution (RCE) |
Vulnerable Code Pattern
// ❌ VULNERABLE: Memory Corruption
void process_data(char *input) {
char buffer[128];
// Taint sink: copies without bounds checking
strcpy(buffer, input);
}
Secure Code Pattern
// ✅ SECURE: Bounded Memory Operations
void process_data(char *input) {
char buffer[128];
// Sanitized boundary check
strncpy(buffer, input, sizeof(buffer) - 1);
buffer[sizeof(buffer) - 1] = '\0';
}
How Precogs Detects This
Precogs Binary SAST engine explicitly uncovers memory boundary violations and unsafe memory management functions in compiled binaries.\n