CVE-2026-27980
ADVISORY - githubSummary
Summary
The default Next.js image optimization disk cache (/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.
Impact
An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.
Patches
Fixed by adding an LRU-backed disk cache with images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. Setting maximumDiskCacheSize: 0 disables disk caching.
Workarounds
If upgrade is not immediately possible:
- Periodically clean
.next/cache/images. - Reduce variant cardinality (e.g., tighten values for
images.localPatterns,images.remotePatterns, andimages.qualities)
Common Weakness Enumeration (CWE)
Uncontrolled Resource Consumption
Uncontrolled Resource Consumption
Allocation of Resources Without Limits or Throttling
NIST
3.9
CVSS SCORE
6.9mediumGitHub
-
CVSS SCORE
6.9mediumRed Hat
3.9
CVSS SCORE
5.3mediumChainguard
CGA-3h3v-gc7q-fgxv
-
minimos
MINI-7r6h-fggg-hg3j
-
minimos
MINI-v227-w5cp-m84h
-
minimos
MINI-vpp7-6fjq-88wp
-