Allocation of Resources Without Limits or Throttling
CVE-2026-44577
Summary
Next.js is a React framework for building full-stack web applications. In versions from 10.0.0 prior to 15.5.16 and 16.x prior to 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the '/_next/image' endpoint that match the 'images.localPatterns' configuration (by default, all patterns are allowed).
- HIGH
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
References
Advisory Timeline
- Published