Description
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).
Published: 2026-03-18
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Disk Exhaustion
Action: Patch Now
AI Analysis

Impact

Next.js versions 10.0.0 through 16.1.6 have an unbounded image optimization disk cache by default. The cache grows without a configurable upper bound, allowing many unique image‑optimization variants to consume all available disk space. This results in denial of service to users when the application can no longer write cache entries. The flaw is characterized as Uncontrolled Resource Consumption (CWE‑400) and Use of Too Large Buffer (CWE‑770).

Affected Systems

The vulnerability affects the Vercel Next.js framework with default image optimization settings. All releases from version 10.0.0 up to, but not including, version 16.1.7 are susceptible. The default cache path is /_next/image and the related .next/cache/images directory is subject to uncontrolled growth.

Risk and Exploitability

The CVSS base score of 6.9 indicates medium severity, while the EPSS score of less than 1% reflects a low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog. An attacker can exploit the flaw by repeatedly requesting image variants that trigger cache writes, causing disk exhaustion. The primary attack vector is automated HTTP requests to the image optimization endpoint; no special privileges or authentication are required.

Generated by OpenCVE AI on March 19, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Next.js version 16.1.7 or later.
  • Configure images.maximumDiskCacheSize to a suitable limit to cap disk usage.
  • Set images.maximumDiskCacheSize to 0 to disable disk caching completely.
  • If immediate upgrade is not possible, schedule periodic cleanup of the .next/cache/images directory.
  • Reduce image variant cardinality by tightening images.localPatterns, images.remotePatterns, and images.qualities configurations.

Generated by OpenCVE AI on March 19, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3x4c-7xq6-9pq8 Next.js: Unbounded next/image disk cache growth can exhaust storage
History

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 18 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).
Title Next.js: Unbounded next/image disk cache growth can exhaust storage
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T19:50:12.877Z

Reserved: 2026-02-25T03:24:57.793Z

Link: CVE-2026-27980

cve-icon Vulnrichment

Updated: 2026-03-18T19:50:10.270Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T01:16:04.957

Modified: 2026-03-18T19:52:54.307

Link: CVE-2026-27980

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:23:34Z

Links: CVE-2026-27980 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:53:54Z

Weaknesses