CVE-2026-27980

Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd	Patch
https://github.com/vercel/next.js/releases/tag/v16.1.7	Release Notes
https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8	Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-03-18 01:16

Updated : 2026-03-18 19:52

NVD link : CVE-2026-27980

Mitre link : CVE-2026-27980

CVE.ORG link : CVE-2026-27980

JSON object : View

Products Affected

vercel

next.js

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2026-27980", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-18T01:16:04.957", "references": [{"url": "https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8", "tags": ["Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)."}, {"lang": "es", "value": "Next.js es un React framework para construir aplicaciones web full-stack. A partir de la versi\u00f3n 10.0.0 y antes de la versi\u00f3n 16.1.7, la cach\u00e9 de disco predeterminada de optimizaci\u00f3n de im\u00e1genes de Next.js ('/_next/image') no ten\u00eda un l\u00edmite superior configurable, permitiendo un crecimiento ilimitado de la cach\u00e9. Un atacante podr\u00eda generar muchas variantes \u00fanicas de optimizaci\u00f3n de im\u00e1genes y agotar el espacio en disco, causando denegaci\u00f3n de servicio. Esto se corrige en la versi\u00f3n 16.1.7 a\u00f1adiendo una cach\u00e9 de disco basada en LRU con 'images.maximumDiskCacheSize', incluyendo la expulsi\u00f3n de las entradas menos usadas recientemente cuando se excede el l\u00edmite. Establecer 'maximumDiskCacheSize: 0' deshabilita el almacenamiento en cach\u00e9 en disco. Si la actualizaci\u00f3n no es inmediatamente posible, limpie peri\u00f3dicamente '.next/cache/images' y/o reduzca la cardinalidad de las variantes (por ejemplo, ajuste los valores para 'images.localPatterns', 'images.remotePatterns' y 'images.qualities')."}], "lastModified": "2026-03-18T19:52:54.307", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3BD74928-5E91-4C17-828C-3D63BB8BAE53", "versionEndExcluding": "16.1.7", "versionStartIncluding": "10.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}