Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Next.js: Unbounded image cache can fill up your disk space
GHSA-3x4c-7xq6-9pq8
CVE-2026-27980
Summary
An attacker can create many optimized images and fill up your disk space, causing your website to become unavailable. To fix this, update to the latest version of Next.js, or if you can't update right away, regularly clean out the image cache and consider reducing the number of image variations your website generates.
What to do
- Update vercel-release-bot next to version 16.1.7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| vercel-release-bot | next | > 10.0.0 , <= 16.1.7 | 16.1.7 |
Original title
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did...
Original description
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).
ghsa CVSS4.0
6.9
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
Published: 18 Mar 2026 · Updated: 18 Mar 2026 · First seen: 17 Mar 2026