CVE-2026-44577

Name of the Vulnerable Software and Affected Versions Next.js versions 10.0.0 through 15.5.15 Next.js versions 16.0.0 through 16.2.4

Description When self-hosting with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker can trigger out-of-memory conditions by requesting large local assets from the '/ next/image' endpoint that match the images.localPatterns configuration, which allows all patterns by default.

Recommendations Update to version 15.5.16. Update to version 16.2.5. As a temporary workaround, avoid routing large local assets through '/ next/image', disable image optimization for large or untrusted local files, or block image optimization access to those assets at the edge. Disable the affected functionality using the images.localPatterns: [] configuration. Adjust the images.maximumResponseBody configuration to apply response size limits.