GHSA-h64f-5h5j-jqjh

Source

https://github.com/advisories/GHSA-h64f-5h5j-jqjh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-h64f-5h5j-jqjh/GHSA-h64f-5h5j-jqjh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h64f-5h5j-jqjh

Aliases

CVE-2026-44577

Published

2026-05-11T15:56:05Z

Modified

2026-05-11T16:06:02.119307Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Next.js has a Denial of Service in the Image Optimization API

Details

Impact

When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed).

If you are using images.localPatterns, only the patterns in that array are impacted.
If you are using images.unoptimized: true, you are NOT impacted.
If you are using images.loader: 'custom', you are NOT impacted.
If you are using Vercel, you are NOT impacted.

Fix

We now apply response size limits consistently to internal image fetches, not just external ones, and fail oversized responses before they can exhaust process memory.

This can be adjusted using the images.maximumResponseBody configuration.

Workarounds

If you cannot upgrade immediately, avoid routing large local assets through /_next/image, disable image optimization for large or untrusted local files, or block image optimization access to those assets at the edge.

You can disable using the images.localPatterns: [] configuration. This will still allow fetching remote images (which is not impacted).

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T15:56:05Z",
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}

References

Affected packages

npm / next

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

10.0.0

Fixed

15.5.16

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-h64f-5h5j-jqjh/GHSA-h64f-5h5j-jqjh.json"

npm / next

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

16.0.0

Fixed

16.2.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-h64f-5h5j-jqjh/GHSA-h64f-5h5j-jqjh.json"