CVE-2026-27980

Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd	Patch
https://github.com/vercel/next.js/releases/tag/v16.1.7	Release Notes
https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8	Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

History

18 Mar 2026, 19:52

Type	Values Removed	Values Added
References	~~() https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd -~~	() https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd - Patch
References	~~() https://github.com/vercel/next.js/releases/tag/v16.1.7 -~~	() https://github.com/vercel/next.js/releases/tag/v16.1.7 - Release Notes
References	~~() https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8 -~~	() https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8 - Vendor Advisory, Mitigation
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Vercel next.js Vercel
CPE		cpe:2.3:a:vercel:next.js::::::node.js::*

18 Mar 2026, 14:52

Type	Values Removed	Values Added
Summary		(es) Next.js es un React framework para construir aplicaciones web full-stack. A partir de la versión 10.0.0 y antes de la versión 16.1.7, la caché de disco predeterminada de optimización de imágenes de Next.js ('/_next/image') no tenía un límite superior configurable, permitiendo un crecimiento ilimitado de la caché. Un atacante podría generar muchas variantes únicas de optimización de imágenes y agotar el espacio en disco, causando denegación de servicio. Esto se corrige en la versión 16.1.7 añadiendo una caché de disco basada en LRU con 'images.maximumDiskCacheSize', incluyendo la expulsión de las entradas menos usadas recientemente cuando se excede el límite. Establecer 'maximumDiskCacheSize: 0' deshabilita el almacenamiento en caché en disco. Si la actualización no es inmediatamente posible, limpie periódicamente '.next/cache/images' y/o reduzca la cardinalidad de las variantes (por ejemplo, ajuste los valores para 'images.localPatterns', 'images.remotePatterns' y 'images.qualities').

18 Mar 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-18 01:16

Updated : 2026-03-18 19:52

NVD link : CVE-2026-27980

Mitre link : CVE-2026-27980

CVE.ORG link : CVE-2026-27980

JSON object : View

Products Affected

vercel

next.js

CWE

CWE-400

Uncontrolled Resource Consumption

7.5 /10