Next.js CVE-2026-44577
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (https://github.com/vercel/next.js).
CVSS VectorVendor: https://github.com/vercel/next.js
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 6 npm packages depend on next (5 direct, 1 indirect)
Ecosystem-wide dependent count for version 10.0.0.
DescriptionCVE.org
Impact
When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed).
- If you are using
images.localPatterns, only the patterns in that array are impacted. - If you are using
images.unoptimized: true, you are NOT impacted. - If you are using
images.loader: 'custom', you are NOT impacted. - If you are using Vercel, you are NOT impacted.
Fix
We now apply response size limits consistently to internal image fetches, not just external ones, and fail oversized responses before they can exhaust process memory.
This can be adjusted using the images.maximumResponseBody configuration.
Workarounds
If you cannot upgrade immediately, avoid routing large local assets through /_next/image, disable image optimization for large or untrusted local files, or block image optimization access to those assets at the edge.
You can disable using the images.localPatterns: [] configuration. This will still allow fetching remote images (which is not impacted).
AnalysisAI
Denial of service in Next.js Image Optimization API allows remote attackers to exhaust server memory by requesting large local assets through the /_next/image endpoint when using the default image loader without size limits. The vulnerability affects self-hosted Next.js deployments with default or configured images.localPatterns; Vercel-hosted and applications using unoptimized images or custom loaders are unaffected. Vendor-released patches available: version 15.5.16 and 16.2.5.
Technical ContextAI
Next.js Image Optimization API is a server-side image processing feature that fetches and optimizes images to improve web performance. When self-hosting with the default image loader, the API processes requests to the /_next/image endpoint to fetch local images matching images.localPatterns configuration. The underlying vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling) - the image fetching code loads entire image files into process memory without enforcing maximum response size constraints, unlike the existing protections applied to external image requests. The root cause is inconsistent application of size limits between internal (local) and external image fetch operations. NPM package pkg:npm/next is the affected component.
RemediationAI
Upgrade Next.js to version 15.5.16 or later if on the 15.x branch, or version 16.2.5 or later if on the 16.x branch. The patch applies consistent response size limits to internal image fetches via the new images.maximumResponseBody configuration option. If immediate upgrade is not feasible, implement workarounds: disable image optimization for untrusted local assets by setting images.localPatterns: [] (remote images remain functional), or block access to /_next/image endpoint at the edge/reverse proxy for untrusted clients. Alternatively, segregate large local assets away from image optimization routes or disable the Image Optimization API entirely if not required. Verify that custom image loaders or images.unoptimized: true are in use for critical paths to confirm non-impact. Security advisory: https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh.
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-h64f-5h5j-jqjh