CVE-2026-44577

Next.js: Denial of Service in the Image Optimization API

Assigner: GitHub_M
Reserved: 06.05.2026 Published: 13.05.2026 Updated: 13.05.2026

Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed). This vulnerability is fixed in 15.5.16 and 16.2.5.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 5.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	vercel
Product	next.js
Versions	Version >= 10.0.0, < 15.5.16 is affected Version >= 16.0.0, < 16.2.5 is affected

Vendor

vercel

Product

next.js

Versions

Version >= 10.0.0, < 15.5.16 is affected
Version >= 16.0.0, < 16.2.5 is affected

References

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE

CVE-2026-44577 PUBLISHED

Next.js: Denial of Service in the Image Optimization API

Metrics

Product Status

References

Problem Types