CVE-2026-27980

ADVISORY - github

Summary

Summary

The default Next.js image optimization disk cache (/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.

Impact

An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.

Patches

Fixed by adding an LRU-backed disk cache with images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. Setting maximumDiskCacheSize: 0 disables disk caching.

Workarounds

If upgrade is not immediately possible:

  • Periodically clean .next/cache/images.
  • Reduce variant cardinality (e.g., tighten values for images.localPatterns, images.remotePatterns, and images.qualities)
EPSS Score: 0.00683 (0.481)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Uncontrolled Resource Consumption

ADVISORY - github

Uncontrolled Resource Consumption

ADVISORY - redhat

Allocation of Resources Without Limits or Throttling


NIST

CREATED

UPDATED

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

6.9medium

GitHub

CREATED

UPDATED

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

6.9medium

Red Hat

CREATED

UPDATED

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

5.3medium

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-3h3v-gc7q-fgxv

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-7r6h-fggg-hg3j

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-v227-w5cp-m84h

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-vpp7-6fjq-88wp

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY