Skip to main content

Next.js CVE-2026-44577

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-11 https://github.com/vercel/next.js GHSA-h64f-5h5j-jqjh
5.9
CVSS 3.1 · Vendor: https://github.com/vercel/next.js
Share

Severity by source

Vendor (https://github.com/vercel/next.js) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/vercel/next.js).

CVSS VectorVendor: https://github.com/vercel/next.js

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 16:17 vuln.today
Analysis Generated
May 11, 2026 - 16:17 vuln.today
CVE Published
May 11, 2026 - 15:56 nvd
MEDIUM 5.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 npm packages depend on next (5 direct, 1 indirect)

Ecosystem-wide dependent count for version 10.0.0.

DescriptionCVE.org

Impact

When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed).

  • If you are using images.localPatterns, only the patterns in that array are impacted.
  • If you are using images.unoptimized: true, you are NOT impacted.
  • If you are using images.loader: 'custom', you are NOT impacted.
  • If you are using Vercel, you are NOT impacted.

Fix

We now apply response size limits consistently to internal image fetches, not just external ones, and fail oversized responses before they can exhaust process memory.

This can be adjusted using the images.maximumResponseBody configuration.

Workarounds

If you cannot upgrade immediately, avoid routing large local assets through /_next/image, disable image optimization for large or untrusted local files, or block image optimization access to those assets at the edge.

You can disable using the images.localPatterns: [] configuration. This will still allow fetching remote images (which is not impacted).

AnalysisAI

Denial of service in Next.js Image Optimization API allows remote attackers to exhaust server memory by requesting large local assets through the /_next/image endpoint when using the default image loader without size limits. The vulnerability affects self-hosted Next.js deployments with default or configured images.localPatterns; Vercel-hosted and applications using unoptimized images or custom loaders are unaffected. Vendor-released patches available: version 15.5.16 and 16.2.5.

Technical ContextAI

Next.js Image Optimization API is a server-side image processing feature that fetches and optimizes images to improve web performance. When self-hosting with the default image loader, the API processes requests to the /_next/image endpoint to fetch local images matching images.localPatterns configuration. The underlying vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling) - the image fetching code loads entire image files into process memory without enforcing maximum response size constraints, unlike the existing protections applied to external image requests. The root cause is inconsistent application of size limits between internal (local) and external image fetch operations. NPM package pkg:npm/next is the affected component.

RemediationAI

Upgrade Next.js to version 15.5.16 or later if on the 15.x branch, or version 16.2.5 or later if on the 16.x branch. The patch applies consistent response size limits to internal image fetches via the new images.maximumResponseBody configuration option. If immediate upgrade is not feasible, implement workarounds: disable image optimization for untrusted local assets by setting images.localPatterns: [] (remote images remain functional), or block access to /_next/image endpoint at the edge/reverse proxy for untrusted clients. Alternatively, segregate large local assets away from image optimization routes or disable the Image Optimization API entirely if not required. Verify that custom image loaders or images.unoptimized: true are in use for critical paths to confirm non-impact. Security advisory: https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh.

Vendor StatusVendor

Share

CVE-2026-44577 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy