CVE-2026-44577

Description

### Impact When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the `/_next/image` endpoint that match the `images.localPatterns` configuration (by default, all patterns are allowed). - If you are using `images.localPatterns`, only the patterns in that array are impacted. - If you are using `images.unoptimized: true`, you are NOT impacted. - If you are using `images.loader: 'custom'`, you are NOT impacted. - If you are using Vercel, you are NOT impacted. ### Fix We now apply response size limits consistently to internal image fetches, not just external ones, and fail oversized responses before they can exhaust process memory. This can be adjusted using the `images.maximumResponseBody` configuration. ### Workarounds If you cannot upgrade immediately, avoid routing large local assets through `/_next/image`, disable image optimization for large or untrusted local files, or block image optimization access to those assets at the edge. You can disable using the `images.localPatterns: []` configuration. This will still allow fetching remote images (which is not impacted).

Affected packages (1)

• npm/next>= 10.0.0, < 15.5.16

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-44577
• PATCHhttps://github.com/vercel/next.js
• WEBhttps://github.com/vercel/next.js/releases/tag/v15.5.16
• WEBhttps://github.com/vercel/next.js/releases/tag/v16.2.5
• WEBhttps://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh