CVE-2026-44577
Next.js has a Denial of Service in the Image Optimization API
Description
### Impact When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the `/_next/image` endpoint that match the `images.localPatterns` configuration (by default, all patterns are allowed). - If you are using `images.localPatterns`, only the patterns in that array are impacted. - If you are using `images.unoptimized: true`, you are NOT impacted. - If you are using `images.loader: 'custom'`, you are NOT impacted. - If you are using Vercel, you are NOT impacted. ### Fix We now apply response size limits consistently to internal image fetches, not just external ones, and fail oversized responses before they can exhaust process memory. This can be adjusted using the `images.maximumResponseBody` configuration. ### Workarounds If you cannot upgrade immediately, avoid routing large local assets through `/_next/image`, disable image optimization for large or untrusted local files, or block image optimization access to those assets at the edge. You can disable using the `images.localPatterns: []` configuration. This will still allow fetching remote images (which is not impacted).
How to fix CVE-2026-44577
To remediate CVE-2026-44577, upgrade the affected package to a fixed version below.
- —upgrade to 15.5.16 or later
Is CVE-2026-44577 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 10.0.0, < 15.5.16