View all Vulnerabilities

CVE-2026-44577

Denial of Service
Affects
Next.js
in
Next.js
No items found.
Versions
>=10.0.0 <15.5.16, >=16.0.0 <16.2.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Next.js is a popular open-source React framework developed by Vercel that enables server-side rendering, static site generation, and full-stack web application development.

A medium-severity Denial of Service (DoS) vulnerability (CVE-2026-44577) has been identified in Next.js. The image optimization endpoint (/_next/image) has two upstream fetch branches: one for absolute (external) URLs and one for local URLs. While the external branch is bounded by images.maximumResponseBody, the local branch buffers the entire upstream response into memory with no size cap. An attacker who can request a large local asset (or any static asset proxied through a Next.js rewrite that lands in the local branch) can drive resident memory up by the full file size for every concurrent request, eventually exhausting process memory.

Per OWASP: The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities.

Details

Module Info

Vulnerability Info

This medium-severity vulnerability is found in Next.js versions >=10.0.0 and <15.5.16, as well as versions >=16.0.0 and <16.2.5. 

In the local-asset branch of imageOptimizer(), the upstream response is piped into an in-memory mock Stream.Writable whose write override pushes every chunk into a resBuffers array and concatenates without any size cap. Because there is no equivalent of the bytesReceived accounting that already protects the absolute-URL branch, a request for a large local asset reads the full file into memory before any validation runs.

This vulnerability could be exploited by:

  • requesting /_next/image?url=/large-asset&w=640&q=75 for a sufficiently large file served from public/
  • requesting /_next/image with a url that resolves to a static asset proxied through a Next.js rewrite landing in the local branch
  • issuing multiple concurrent requests to multiply per-request memory cost and exhaust process memory

This does not impact applications hosted on providers that handle image optimization at the CDN level, such as Vercel.

Mitigation

Next.js versions prior to 15.5.x are End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to a fixed version of Next.js.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2024-47831
CVE-2024-51479
CVE-2025-29927
CVE-2023-46298
CVE-2025-32421
CVE-2025-55173
CVE-2025-57752
CVE-2025-59471
CVE-2026-29057
CVE-2026-27980
CVE-2026-44577
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-44577
PROJECT Affected
Next.js
Versions Affected
>=10.0.0 <15.5.16, >=16.0.0 <16.2.5
NES Versions Affected
Published date
May 20, 2026
≈ Fix date
May 13, 2026
Fixed in
NES for Next.js
Category
Denial of Service
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Next.js
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.