Description
Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed). This vulnerability is fixed in 15.5.16 and 16.2.5.
Published: 2026-05-13
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Next.js’s Image Optimization API allows unbounded loading of local images into memory, which can exhaust available system memory and cause the application to become unavailable. The weakness is a resource exhaustion flaw (CWE‑770) that results in a denial‑of‑service condition when large images are requested through the "/_next/image" endpoint.

Affected Systems

Self‑hosted Next.js installations produced by Vercel, running versions 10.0.0 through 15.5.15 and 16.2.4 that use the default image loader, are affected. The vulnerability is triggered when the request matches the images.localPatterns setting, which by default permits all patterns. The issue is resolved in Next.js versions 15.5.16 and 16.2.5 and later.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity. It is inferred from the description that an attacker can issue requests to the application’s "/_next/image" endpoint to trigger out‑of‑memory crashes; no authentication is required. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, it is not yet known to be widely exploited, but the impact of service disruption justifies prompt remediation.

Generated by OpenCVE AI on May 13, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next.js to version 15.5.16 or later (or to 16.2.5) which implements a size limit on images loaded by the optimization API.
  • If an upgrade cannot occur immediately, restrict the images.localPatterns configuration to allow only trusted, small image patterns or set a maximum file size in next.config.js to prevent large local images from being processed.
  • As a temporary safeguard, consider disabling the internal image optimization feature or switching to an external image loader so that images are served without being processed by the application.

Generated by OpenCVE AI on May 13, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h64f-5h5j-jqjh Next.js has a Denial of Service in the Image Optimization API
History

Wed, 03 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed). This vulnerability is fixed in 15.5.16 and 16.2.5.
Title Next.js: Denial of Service in the Image Optimization API
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:33:46.473Z

Reserved: 2026-05-06T21:49:12.424Z

Link: CVE-2026-44577

cve-icon Vulnrichment

Updated: 2026-05-14T18:33:43.810Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T17:16:23.173

Modified: 2026-05-13T20:00:59.993

Link: CVE-2026-44577

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-13T17:00:02Z

Links: CVE-2026-44577 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T19:30:03Z

Weaknesses