[GHSA-5f7q-jpqc-wp7h] Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

[cylewaitforit]

Updates

• Affected products

Comments
#6741 (comment)

To match what is reflected by GHSA-5f7q-jpqc-wp7h

[github]

Hi there @andresriancho! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull request overview

This PR updates the security advisory for CVE-2025-59472 (Next.js Unbounded Memory Consumption via PPR Resume Endpoint) by expanding the list of affected package versions. The vulnerability affects Next.js versions with Partial Prerendering (PPR) enabled in minimal mode, where canary versions throughout the 15.0.x through 15.5.x series contained the vulnerability in their canary builds, with each stable release fixing its corresponding canaries.

Changes:

• Updated the modified timestamp from 2026-01-28T15:20:56Z to 2026-01-28T15:20:57Z
• Added detailed version range entries for all affected Next.js versions from 15.0.0 through 15.5.9, documenting that canary versions in each release cycle were vulnerable while stable releases fixed them
• Added final fix version ranges showing 15.6.0-canary.61 and 16.1.5 as the versions containing the complete fix

Comments suppressed due to low confidence (1)

advisories/github-reviewed/2026/01/GHSA-5f7q-jpqc-wp7h/GHSA-5f7q-jpqc-wp7h.json:1157

• Potential discrepancy with referenced patch versions. The comment in PR #6741 states that versions 15.5.10, 15.5.11, and 15.6.0-canary.61 contain the patch for this vulnerability. However, this advisory only includes vulnerability ranges up to 15.5.9, then jumps to 15.6.0-canary.0. If versions 15.5.10 and 15.5.11 exist and have canary releases, those ranges should also be documented here. Please verify whether these versions exist for Next.js and whether they should be included in this advisory, or clarify if the PR #6741 comment refers to a different CVE.

    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "15.5.9-canary.0"
            },
            {
              "fixed": "15.5.9"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "15.6.0-canary.0"
            },
            {
              "fixed": "15.6.0-canary.61"
            }
          ]
        }
      ]
    },

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.