Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the "next-resume: 1" header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing "maxPostponedStateSize" in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via "experimental.ppr" or "cacheComponents"), an attacker could send oversized "next-resume" POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the "next-resume" header, as this is never valid to be sent from an untrusted client.