Skip to main content

Allocation of Resources Without Limits or Throttling

CVE-2026-44577

Severity Medium
Score 5.9/10

Summary

Next.js is a React framework for building full-stack web applications. In versions from 10.0.0 prior to 15.5.16 and 16.x prior to 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the '/_next/image' endpoint that match the 'images.localPatterns' configuration (by default, all patterns are allowed).

  • HIGH
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-770 - Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Advisory Timeline

  • Published