CVE-2026-27980
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Next.js is a popular open-source React framework that enables server-side rendering, static site generation, and full-stack web application development.
A medium-severity Denial of Service (DoS) vulnerability (CVE-2026-27980) has been identified in Next.js. The default image optimization endpoint (/_next/image) writes optimized image variants to a disk cache at .next/cache/images/ without any configurable upper bound or eviction policy. An attacker can generate many unique image optimization variants by varying the w (width) and q (quality) query parameters, causing unbounded cache growth that can exhaust available disk space and render the application unavailable.
Per OWASP: The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities.
Details
Module Info
- Product: Next.js
- Affected packages: next
- Affected versions: >=10.0.0 <16.1.7
- GitHub repository: https://github.com/vercel/next.js
- Published packages: https://www.npmjs.com/package/next
- Package manager: npm
- Fixed in:
- OSS v16.1.7
Vulnerability Info
This medium-severity vulnerability is found in all versions of Next.js from 10.0.0 up to (but not including) 16.1.7. See the affected versions above for specific details.
The vulnerability exists in the ImageOptimizerCache class within next/dist/server/image-optimizer.js. The set() method writes optimized images to .next/cache/images/ without tracking total cache size or evicting old entries. Each unique combination of source image URL, width, and quality generates a separate cached file that persists indefinitely.
This vulnerability could be exploited by:
- Sending a large number of requests to /_next/image with varying w and q parameters for any valid image source
- Automating requests across the full set of allowed widths and quality values to maximize cache entries
- Exhausting disk space on the server, leading to application crashes or inability to serve new requests
The fix introduced an LRU-backed disk cache with a new images.maximumDiskCacheSize configuration option. When the cache exceeds the configured limit, least-recently-used entries are evicted. Setting maximumDiskCacheSize: 0 disables disk caching entirely.
Mitigation
Next.js versions prior to 16.1.7 are affected and the fix is only available in v16.1.7 and later. Older major versions (10.x through 15.x) will not receive patches for this issue.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to Next.js v16.1.7 or later.
- Periodically clean the .next/cache/images directory as a temporary workaround.
- Reduce variant cardinality by tightening images.localPatterns, images.remotePatterns, and images.qualities configuration values.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Vercel Security Team
.svg)