CVE-2026-27980
published 2026-03-18CVE-2026-27980: Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.68%
47.9th percentile
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 10.0.0 < 15.5.14 | 15.5.14 |
| next | next | >= 16.0.0-beta.0 < 16.1.7 | 16.1.7 |
| vercel | next.js | — | — |
| vercel | next.js | >= 10.0.0 < 16.1.7 | 16.1.7 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage
vendor_redhat·2026-03-18·CVSS 6.9
CVE-2026-27980 [MEDIUM] CWE-770 next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage
next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce va
GHSA
Next.js: Unbounded next/image disk cache growth can exhaust storage
ghsa·2026-03-17
CVE-2026-27980 [MEDIUM] CWE-400 Next.js: Unbounded next/image disk cache growth can exhaust storage
Next.js: Unbounded next/image disk cache growth can exhaust storage
## Summary
The default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth.
## Impact
An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.
## Patches
Fixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching.
## Workarounds
If upgrade is not immediately possible:
- Periodically clean `.next/cache/images`.
- Reduce variant
OSV
Next.js: Unbounded next/image disk cache growth can exhaust storage
osv·2026-03-17
CVE-2026-27980 [MEDIUM] Next.js: Unbounded next/image disk cache growth can exhaust storage
Next.js: Unbounded next/image disk cache growth can exhaust storage
## Summary
The default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth.
## Impact
An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.
## Patches
Fixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching.
## Workarounds
If upgrade is not immediately possible:
- Periodically clean `.next/cache/images`.
- Reduce variant
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-29057 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-29057 [MEDIUM] CVE-2026-29057 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29057 :
ASP.NET Core vulnerability analysis and mitigation
DELETE
OPTIONS
Transfer-Encoding: chunked
content-length: 0
content-length
transfer-encoding
transfer-encoding
DELETE
OPTIONS
Source : NVD
## 6.3
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
ASP.NET Core
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
dotnet-targeting-pack-7.0
langfuse-2
Sources
NVD
Chainguard Has Fix Added at: Mar 20, 2026
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
Wolfi Has Fix Added at: Mar 20, 2026
Wiz
GHSA-5j59-xgg2-r9c4 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-55184 [HIGH] GHSA-5j59-xgg2-r9c4 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5j59-xgg2-r9c4 :
Next.js vulnerability analysis and mitigation
It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779 .
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustaine
Wiz
GHSA-w37m-7fhw-fmv9 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-55183 [MEDIUM] GHSA-w37m-7fhw-fmv9 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-w37m-7fhw-fmv9 :
Next.js vulnerability analysis and mitigation
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183 .
A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions . This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.
Source : NVD
## 5.3
Score
Published December 11, 2025
Severity MEDIUM
CNA Score N/A
Affected Technologies
Next.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Da
Wiz
CVE-2025-59472 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-59472 [MEDIUM] CVE-2025-59472 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59472 :
ASP.NET Core vulnerability analysis and mitigation
Next-Resume: 1
Buffer.concat()
inflateSync()
FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory
experimental.ppr: true
cacheComponents: true
Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Source : NVD
## 7.5
Score
Published January 26, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
ASP.NET Core
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
dotnet7.0
dotnet-sdk-7.0
Sources
NVD
Chainguard Has Fix Added at: F
Wiz
CVE-2026-27978 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27978 [MEDIUM] CVE-2026-27978 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27978 :
ASP.NET Core vulnerability analysis and mitigation
origin: null
'null'
'null'
experimental.serverActions.allowedOrigins
SameSite=Strict
'null'
serverActions.allowedOrigins
Source : NVD
## 5.3
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
ASP.NET Core
.NET Core SDK
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-templates-7.0
netstandard-targeting-pack-2.1
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in
Wiz
GHSA-mwv6-3258-q52c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-55184 [HIGH] GHSA-mwv6-3258-q52c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mwv6-3258-q52c :
Next.js vulnerability analysis and mitigation
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184 .
A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
Source : NVD
## 7.5
Score
Published December 11, 2025
Severity HIGH
CNA Score N/A
Affected Technologies
Next.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
Wiz
CVE-2026-27977 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-27977 [LOW] CVE-2026-27977 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27977 :
ASP.NET Core vulnerability analysis and mitigation
next dev
Origin: null
allowedDevOrigins
allowedDevOrigins
Origin: null
next dev
/_next/webpack-hmr
Origin
null
Source : NVD
## 2.3
Score
Published March 18, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
ASP.NET Core
.NET Core SDK
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-targeting-pack-7.0
dotnet-templates-7.0
Sources
NVD
npm Severity LOW Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2026-27979 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27979 [MEDIUM] CVE-2026-27979 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27979 :
ASP.NET Core vulnerability analysis and mitigation
next-resume: 1
maxPostponedStateSize
experimental.ppr
cacheComponents
next-resume
next-resume
Source : NVD
## 6.9
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
ASP.NET Core
.NET Core SDK
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-sdk-7.0
dotnet-sdk-7.0-source-built-artifacts
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focu
Wiz
CVE-2025-59471 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-59471 [MEDIUM] CVE-2025-59471 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59471 :
ASP.NET Core vulnerability analysis and mitigation
remotePatterns
/_next/image
remotePatterns
Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Source : NVD
## 7.5
Score
Published January 26, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
ASP.NET Core
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-sdk-7.0
dotnet-sdk-7.0-source-built-artifacts
Sources
NVD
Chainguard Has Fix Added at: Feb 10, 2026
npm Severity MEDIUM Has Fix Added at: Jan 28, 2026
Red Hat 7, 8, 9, 10 Severity MEDIUM No Fix Added
Wiz
CVE-2026-27980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27980 [MEDIUM] CVE-2026-27980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27980 :
ASP.NET Core vulnerability analysis and mitigation
/_next/image
images.maximumDiskCacheSize
maximumDiskCacheSize: 0
.next/cache/images
images.localPatterns
images.remotePatterns
images.qualities
Source : NVD
## 6.9
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
ASP.NET Core
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
langfuse-3
langfuse-2
Sources
NVD
Chainguard Has Fix Added at: Mar 20, 2026
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
Wolfi Has Fix Added at: Mar 20, 2026
Bugzilla
CVE-2026-27980 next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage
bugzilla·2026-03-18·CVSS 6.9
CVE-2026-27980 [MEDIUM] CVE-2026-27980 next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage
CVE-2026-27980 next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` a
2026-03-18
Published