Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Next.js Allocation of Resources Without Limits or Throttling Vulnerability - CVE-2026-44577 - Vulnerability Database
Next.js

Next.js Allocation of Resources Without Limits or Throttling Vulnerability - CVE-2026-44577

Medium
Reference: CVE-2026-44577
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-44577
Title: Next.js Allocation of Resources Without Limits or Throttling Vulnerability
Overview:

Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5 when self-hosting Next.js with the default image loader the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default all patterns are allowed). This vulnerability is fixed in 15.5.16 and 16.2.5.