CVE-2026-27980
March 18, 2026
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache ("/_next/image") did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with "images.maximumDiskCacheSize", including eviction of least-recently-used entries when the limit is exceeded. Setting "maximumDiskCacheSize: 0" disables disk caching. If upgrading is not immediately possible, periodically clean ".next/cache/images" and/or reduce variant cardinality (e.g., tighten values for "images.localPatterns", "images.remotePatterns", and "images.qualities").
Affected Packages
https://github.com/vercel/next.js.git (GITHUB):
Affected version(s) >=v16.0.0 <v16.1.7Fix Suggestion:
Update to version v16.1.7https://github.com/vercel/next.js.git (GITHUB):
Affected version(s) >=v10.0.0 <v15.5.13Fix Suggestion:
Update to version v15.5.13next (NPM):
Affected version(s) >=10.0.0 <15.5.14Fix Suggestion:
Update to version 15.5.14next (NPM):
Affected version(s) >=16.0.0-beta.0 <16.1.7Fix Suggestion:
Update to version 16.1.7Related ResourcesĀ (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW
Weakness Type (CWE)
Uncontrolled Resource Consumption
EPSS
Base Score:
0.01
