CVE-2026-27980
Unbounded Disk Cache Growth in Next.js Image Optimization Causes DoS
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vercel | next.js | From 10.0.0 (inc) to 16.1.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27980 is a vulnerability in the Next.js React framework's image optimization feature that existed from version 10.0.0 up to but not including 16.1.7. The issue was that the default disk cache used for storing optimized images did not have an upper size limit, allowing the cache to grow without bound."}, {'type': 'paragraph', 'content': 'An attacker could exploit this by generating many unique image optimization variants, which would cause the disk cache to consume all available disk space. This could lead to denial of service (DoS) by exhausting disk resources.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 16.1.7 by introducing a Least Recently Used (LRU) disk cache mechanism controlled by the configuration parameter `images.maximumDiskCacheSize`. This limits the cache size and evicts the least recently used entries when the limit is exceeded.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service (DoS) condition on your system. Because the image optimization disk cache can grow without limit, an attacker can force the cache to consume all available disk space.
When disk space is exhausted, your application or server may become unresponsive or fail to operate correctly, potentially disrupting service availability.
The vulnerability does not impact confidentiality or integrity but has a low impact on availability due to resource exhaustion.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring disk usage growth in the Next.js image optimization cache directory, typically located at `.next/cache/images`. Unusually large or rapidly growing disk usage in this directory may indicate exploitation attempts.
You can use system commands to check the size and contents of the cache directory to detect abnormal growth.
- Check disk usage of the cache directory: `du -sh .next/cache/images`
- List files sorted by size to identify large cache entries: `find .next/cache/images -type f -exec ls -lh {} + | sort -k 5 -h`
- Monitor disk space usage on the partition hosting the cache directory: `df -h`
- Set up alerts or scripts to notify when the cache directory size exceeds expected thresholds.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should upgrade Next.js to version 16.1.7 or later, which includes a fix by implementing an LRU-backed disk cache with a configurable maximum size.
If upgrading is not possible right away, you can take the following steps:
- Periodically clean the `.next/cache/images` directory to remove accumulated cached images and free disk space.
- Reduce the number of image variants generated by tightening configuration values such as `images.localPatterns`, `images.remotePatterns`, and `images.qualities` in your Next.js configuration.
- Consider disabling disk caching by setting `images.maximumDiskCacheSize` to 0 in `next.config.js` if disk space is critically constrained.