CVE-2026-27980

Name of the Vulnerable Software and Affected Versions Next.js versions 10.0.0 through 16.1.6

Description Next.js, a React framework for building full-stack web applications, had an issue where the default image optimization disk cache (/ next/image) lacked a configurable upper bound, leading to unbounded cache growth. An attacker could exploit this by generating numerous unique image optimization variants, potentially exhausting disk space and causing a denial of service. The issue does not impact platforms with their own image optimization capabilities. The affected component is the image optimization disk cache. The vulnerable parameters include images.localPatterns, images.remotePatterns, and images.qualities, which control variant cardinality.

Recommendations Next.js versions prior to 16.1.7 should be upgraded to version 16.1.7. If upgrading is not immediately possible, periodically clean the .next/cache/images directory. As an alternative, reduce variant cardinality by tightening the values for images.localPatterns, images.remotePatterns, and images.qualities. Setting images.maximumDiskCacheSize: 0 disables disk caching.