Security context
Medium· 5.9GHSA-h64f-5h5j-jqjh CVE-2026-44577CWE-770Published May 11, 2026

Next.js has a Denial of Service in the Image Optimization API

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

10.0.0 → fixed in 15.5.1616.0.0 → fixed in 16.2.5

Details

### Impact When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the `/_next/image` endpoint that match the `images.localPatterns` configuration (by default, all patterns are allowed). - If you are using `images.localPatterns`, only the patterns in that array are impacted. - If you are using `images.unoptimized: true`, you are NOT impacted. - If you are using `images.loader: 'custom'`, you are NOT impacted. - If you are using Vercel, you are NOT impacted. ### Fix We now apply response size limits consistently to internal image fetches, not just external ones, and fail oversized responses before they can exhaust process memory. This can be adjusted using the `images.maximumResponseBody` configuration. ### Workarounds If you cannot upgrade immediately, avoid routing large local assets through `/_next/image`, disable image optimization for large or untrusted local files, or block image optimization access to those assets at the edge. You can disable using the `images.localPatterns: []` configuration. This will still allow fetching remote images (which is not impacted).

The fix

No fix commit could be resolved for this advisory (it may reference an issue tracker or a non-GitHub patch). See the references below.

References