Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Next.js Uncontrolled Resource Consumption Vulnerability - CVE-2026-27980 - Vulnerability Database
Next.js

Next.js Uncontrolled Resource Consumption Vulnerability - CVE-2026-27980

High
Reference: CVE-2026-27980
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-27980
Title: Next.js Uncontrolled Resource Consumption Vulnerability
Overview:

Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7 the default Next.js image optimization disk cache (/_next/image) did not have a configurable upper bound allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with images.maximumDiskCacheSize including eviction of least-recently-used entries when the limit is exceeded. Setting maximumDiskCacheSize: 0 disables disk caching. If upgrading is not immediately possible periodically clean .next/cache/images and/or reduce variant cardinality (e.g. tighten values for images.localPatterns images.remotePatterns and images.qualities).