CVE-2026-27980
Denial of Service vulnerability in next (npm)
What is CVE-2026-27980 About?
This Next.js vulnerability allows for a Denial of Service attack due to an unbounded disk cache for image optimization. An attacker can generate many unique image-optimization variants, leading to disk space exhaustion. This remote exploit is relatively easy to achieve with crafted requests.
Affected Software
Technical Details
The vulnerability lies in the default Next.js image optimization disk cache (/_next/image), which lacks a configurable upper bound. In an attack, a malicious actor can make requests for numerous unique image optimization variants. Each unique variant request causes the system to generate and store a new optimized image in the disk cache. Without a size limit or eviction policy, this process continues indefinitely until the available disk space is completely exhausted, leading to a denial of service condition.
What is the Impact of CVE-2026-27980?
Successful exploitation may allow attackers to exhaust disk space, leading to a denial of service, data loss, and operational disruption.
What is the Exploitability of CVE-2026-27980?
Exploitation involves making numerous requests for unique image optimization variants through the _next/image endpoint. The attack is remote and does not require authentication or elevated privileges. The complexity is low, as it primarily involves generating distinct URLs that trigger new image cache entries. The primary risk factors are the lack of a configured images.maximumDiskCacheSize and exposure of the Next.js application to untrusted users, leading to potential disk space exhaustion and service unavailability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-27980?
Available Upgrade Options
- next
- >=10.0.0, <16.1.7 → Upgrade to 16.1.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8
- https://github.com/vercel/next.js
- https://github.com/vercel/next.js/releases/tag/v16.1.7
- https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd
- https://osv.dev/vulnerability/GHSA-3x4c-7xq6-9pq8
- https://github.com/vercel/next.js/releases/tag/v16.1.7
- https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8
- https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd
What are Similar Vulnerabilities to CVE-2026-27980?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2022-23594 , CVE-2021-39148 , CVE-2020-13768 , CVE-2018-12020
