{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27980", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:24:57.793Z", "datePublished": "2026-03-18T00:23:34.862Z", "dateUpdated": "2026-03-18T19:50:12.877Z"}, "containers": {"cna": {"title": "Next.js: Unbounded next/image disk cache growth can exhaust storage", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8"}, {"name": "https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd", "tags": ["x_refsource_MISC"], "url": "https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd"}, {"name": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/vercel/next.js/releases/tag/v16.1.7"}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"version": ">= 10.0.0, < 16.1.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T00:23:34.862Z"}, "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)."}], "source": {"advisory": "GHSA-3x4c-7xq6-9pq8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T19:50:06.816613Z", "id": "CVE-2026-27980", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T19:50:12.877Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27980", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T19:50:06.816613Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T19:50:10.270Z"}}], "cna": {"title": "Next.js: Unbounded next/image disk cache growth can exhaust storage", "source": {"advisory": "GHSA-3x4c-7xq6-9pq8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"status": "affected", "version": ">= 10.0.0, < 16.1.7"}]}], "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8", "name": "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd", "name": "https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "name": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T00:23:34.862Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27980", "state": "PUBLISHED", "dateUpdated": "2026-03-18T19:50:12.877Z", "dateReserved": "2026-02-25T03:24:57.793Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T00:23:34.862Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "3BD74928-5E91-4C17-828C-3D63BB8BAE53", "versionEndExcluding": "16.1.7", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)."}, {"lang": "es", "value": "Next.js es un React framework para construir aplicaciones web full-stack. A partir de la versi\u00f3n 10.0.0 y antes de la versi\u00f3n 16.1.7, la cach\u00e9 de disco predeterminada de optimizaci\u00f3n de im\u00e1genes de Next.js ('/_next/image') no ten\u00eda un l\u00edmite superior configurable, permitiendo un crecimiento ilimitado de la cach\u00e9. Un atacante podr\u00eda generar muchas variantes \u00fanicas de optimizaci\u00f3n de im\u00e1genes y agotar el espacio en disco, causando denegaci\u00f3n de servicio. Esto se corrige en la versi\u00f3n 16.1.7 a\u00f1adiendo una cach\u00e9 de disco basada en LRU con 'images.maximumDiskCacheSize', incluyendo la expulsi\u00f3n de las entradas menos usadas recientemente cuando se excede el l\u00edmite. Establecer 'maximumDiskCacheSize: 0' deshabilita el almacenamiento en cach\u00e9 en disco. Si la actualizaci\u00f3n no es inmediatamente posible, limpie peri\u00f3dicamente '.next/cache/images' y/o reduzca la cardinalidad de las variantes (por ejemplo, ajuste los valores para 'images.localPatterns', 'images.remotePatterns' y 'images.qualities')."}], "id": "CVE-2026-27980", "lastModified": "2026-03-18T19:52:54.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T01:16:04.957", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/vercel/next.js/releases/tag/v16.1.7"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage", "id": "2448509", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448509"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-770", "details": ["An unbounded disk usage flaw has been discovered in Next.js. The default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27980", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "dotnet7.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/rekor-search-ui-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Fix deferred", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Fix deferred", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-03-18T00:23:34Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27980\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27980\nhttps://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd\nhttps://github.com/vercel/next.js/releases/tag/v16.1.7\nhttps://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0,16.1.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "next.js", "source": "cna", "vendor": "vercel"}, "product": "next.js", "vendor": "vercel"}], "analysis": {"en": {"generated_at": "2026-03-19T01:55:26.483830+00:00", "value": {"mitigation_remediation": ["Upgrade to Next.js version 16.1.7 or later.", "Configure images.maximumDiskCacheSize to a suitable limit to cap disk usage.", "Set images.maximumDiskCacheSize to 0 to disable disk caching completely.", "If immediate upgrade is not possible, schedule periodic cleanup of the .next/cache/images directory.", "Reduce image variant cardinality by tightening images.localPatterns, images.remotePatterns, and images.qualities configurations."], "summary": {"action": "Patch Now", "impact": "Denial of Service via Disk Exhaustion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Vercel Next.js framework with default image optimization settings. All releases from version 10.0.0 up to, but not including, version 16.1.7 are susceptible. The default cache path is /_next/image and the related .next/cache/images directory is subject to uncontrolled growth.", "description_and_impact": "Next.js versions 10.0.0 through 16.1.6 have an unbounded image optimization disk cache by default. The cache grows without a configurable upper bound, allowing many unique image\u2011optimization variants to consume all available disk space. This results in denial of service to users when the application can no longer write cache entries. The flaw is characterized as Uncontrolled Resource Consumption (CWE\u2011400) and Use of Too Large Buffer (CWE\u2011770).", "risk_and_exploitability": "The CVSS base score of 6.9 indicates medium severity, while the EPSS score of less than 1% reflects a low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog. An attacker can exploit the flaw by repeatedly requesting image variants that trigger cache writes, causing disk exhaustion. The primary attack vector is automated HTTP requests to the image optimization endpoint; no special privileges or authentication are required."}}}}, "created": "2026-03-18T10:42:24.656025+00:00", "updated": "2026-03-24T10:53:54.637846+00:00", "vendors": ["vercel", "vercel$PRODUCT$next.js"]}