CVE-2026-27980
Received Received - Intake
Unbounded Disk Cache Growth in Next.js Image Optimization Causes DoS

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27980
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vercel next.js From 10.0.0 (inc) to 16.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27980 is a vulnerability in the Next.js React framework's image optimization feature that existed from version 10.0.0 up to but not including 16.1.7. The issue was that the default disk cache used for storing optimized images did not have an upper size limit, allowing the cache to grow without bound."}, {'type': 'paragraph', 'content': 'An attacker could exploit this by generating many unique image optimization variants, which would cause the disk cache to consume all available disk space. This could lead to denial of service (DoS) by exhausting disk resources.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 16.1.7 by introducing a Least Recently Used (LRU) disk cache mechanism controlled by the configuration parameter `images.maximumDiskCacheSize`. This limits the cache size and evicts the least recently used entries when the limit is exceeded.'}] [1, 2]

Impact Analysis

This vulnerability can impact you by causing a denial of service (DoS) condition on your system. Because the image optimization disk cache can grow without limit, an attacker can force the cache to consume all available disk space.

When disk space is exhausted, your application or server may become unresponsive or fail to operate correctly, potentially disrupting service availability.

The vulnerability does not impact confidentiality or integrity but has a low impact on availability due to resource exhaustion.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring disk usage growth in the Next.js image optimization cache directory, typically located at `.next/cache/images`. Unusually large or rapidly growing disk usage in this directory may indicate exploitation attempts.

You can use system commands to check the size and contents of the cache directory to detect abnormal growth.

  • Check disk usage of the cache directory: `du -sh .next/cache/images`
  • List files sorted by size to identify large cache entries: `find .next/cache/images -type f -exec ls -lh {} + | sort -k 5 -h`
  • Monitor disk space usage on the partition hosting the cache directory: `df -h`
  • Set up alerts or scripts to notify when the cache directory size exceeds expected thresholds.
Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade Next.js to version 16.1.7 or later, which includes a fix by implementing an LRU-backed disk cache with a configurable maximum size.

If upgrading is not possible right away, you can take the following steps:

  • Periodically clean the `.next/cache/images` directory to remove accumulated cached images and free disk space.
  • Reduce the number of image variants generated by tightening configuration values such as `images.localPatterns`, `images.remotePatterns`, and `images.qualities` in your Next.js configuration.
  • Consider disabling disk caching by setting `images.maximumDiskCacheSize` to 0 in `next.config.js` if disk space is critically constrained.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27980. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart