Next.js: Unbounded next/image disk cache growth can exhaust storage
Description
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (/_next/image) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. Setting maximumDiskCacheSize: 0 disables disk caching. If upgrading is not immediately possible, periodically clean .next/cache/images and/or reduce variant cardinality (e.g., tighten values for images.localPatterns, images.remotePatterns, and images.qualities).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nextnpm | >= 16.0.0-beta.0, < 16.1.7 | 16.1.7 |
nextnpm | >= 10.0.0, < 15.5.14 | 15.5.14 |
Affected products
11- osv-coords10 versionspkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/keep-uipkg:apk/chainguard/keep-ui-fipspkg:apk/chainguard/langfuse-2pkg:apk/chainguard/langfuse-3pkg:apk/chainguard/langfuse-fips-2pkg:apk/chainguard/langfuse-fips-3pkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/langfuse-3pkg:npm/next
< 2.11.0-r17+ 9 more
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 0.51.0-r5
- (no CPE)range: < 0.51.0-r5
- (no CPE)range: < 2.95.12-r14
- (no CPE)range: < 3.162.0-r1
- (no CPE)range: < 2.95.12-r17
- (no CPE)range: < 3.162.0-r0
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 3.162.0-r1
- (no CPE)range: >= 16.0.0-beta.0, < 16.1.7
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-3x4c-7xq6-9pq8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27980ghsaADVISORY
- github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bdghsax_refsource_MISCWEB
- github.com/vercel/next.js/releases/tag/v16.1.7ghsax_refsource_MISCWEB
- github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.