Next.js Image Feature Can Be Abused to Fill Up Your Server's Disk
Your website uses Next.js, a popular web framework, which includes a feature that automatically resizes and optimises images for visitors. A flaw in versions before 16.1.7 means this feature stores an unlimited number of image variants on disk with no cap — like a filing cabinet with no limit on how many folders can be added. An attacker could deliberately flood this cache to fill up your server's storage and take your site offline.
Business Impact And Actions
medium urgencyBusiness Impact
If exploited, your website could become unavailable to customers — a direct hit to revenue and reputation. Because no login is required to trigger this, it is accessible to any automated bot. Hosting providers may also charge for excess storage consumed. If your site is subject to uptime SLAs or compliance requirements (e.g. SOC 2, ISO 27001), an availability incident could have audit implications.
What To Do
- Ask your developer to upgrade Next.js to version 16.1.7 or later — this is the primary fix and should take under an hour for most projects.
- If an immediate upgrade isn't possible, ask your developer to set up a scheduled task to periodically clear the `.next/cache/images` folder on your server.
- Ask your developer to restrict the allowed image sizes and quality settings in your Next.js config — this limits how many variants an attacker can generate.
- Consider adding rate limiting to your image endpoint (`/_next/image`) through your hosting platform or CDN to reduce abuse potential.
Next.js Unbounded Image Optimization Disk Cache DoS (CVE-2026-27980)
medium severity CVSS 6.9Vulnerability Explanation
The Next.js image optimization endpoint (`/_next/image`) writes a separate cached file to `.next/cache/images/` for every unique combination of source URL, width (`w`), and quality (`q`) query parameters. Prior to 16.1.7, the `ImageOptimizerCache` class had no upper bound on total cache size and no eviction policy. An unauthenticated remote attacker can enumerate the full matrix of allowed widths and quality values across any permitted image source, generating thousands of unique cache entries and exhausting server disk space, resulting in denial of service.
Root Cause
The `ImageOptimizerCache.set()` method in `next/dist/server/image-optimizer.js` wrote optimised images to disk without tracking cumulative cache size or evicting stale entries. No configurable limit existed, so cache growth was unbounded by design until 16.1.7 introduced an LRU eviction mechanism.
Technical Impact
Unauthenticated denial of service via disk exhaustion. An attacker can fill the server's available disk space, causing the application to crash or become unable to serve new requests. No data exfiltration or code execution is possible; impact is limited to availability.
Severity Justification
CVSS 4.0 score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L) per the official GitHub advisory. Network-accessible, no authentication required, low attack complexity, but impact is limited to availability (no confidentiality or integrity impact).
Affected Components
next >= 10.0.0, < 16.1.7
Remediation Steps
- Upgrade Next.js to 16.1.7 or later: `npm install next@latest` (or `yarn upgrade next`). This is the definitive fix.
- After upgrading, optionally configure an explicit cache size cap in `next.config.js` using `images.maximumDiskCacheSize` (value in bytes). The new default is bounded by an LRU policy, but an explicit limit gives you predictable disk usage.
- If you cannot upgrade immediately, add a cron job or scheduled task to periodically delete the contents of `.next/cache/images/` (e.g. daily via `find .next/cache/images -type f -mtime +1 -delete`).
- Tighten image variant cardinality in `next.config.js`: restrict `images.deviceSizes`, `images.imageSizes`, `images.qualities`, `images.remotePatterns`, and `images.localPatterns` to only the values your application actually needs.
- Add rate limiting on the `/_next/image` path at your reverse proxy or CDN layer to reduce the request rate an attacker can sustain.
Verification Steps
- Run `npm list next` (or `yarn list next`) and confirm the installed version is 16.1.7 or higher.
- Check `next.config.js` for the `images` block and confirm `maximumDiskCacheSize` is set or that you are on a version where the LRU default applies.
- Monitor `.next/cache/images/` directory size over 24 hours after deployment to confirm it stays bounded.
- Optionally, send a burst of requests to `/_next/image?url=<valid-image>&w=<varied>&q=<varied>` and verify the cache directory does not grow unboundedly.
Code Examples (javascript)
// next.config.js — Next.js 10.0.0–16.1.6
// No maximumDiskCacheSize option exists; cache grows without bound
module.exports = {
images: {
domains: ['example.com'],
// No eviction, no size cap
},
};// next.config.js — Next.js 16.1.7+
// Upgrade first, then optionally set an explicit cap (bytes)
module.exports = {
images: {
remotePatterns: [
{ protocol: 'https', hostname: 'example.com' },
],
// Optional: cap disk cache at 512 MB (default is now LRU-bounded)
maximumDiskCacheSize: 512 * 1024 * 1024,
// Restrict variants to reduce attack surface
deviceSizes: [640, 750, 1080, 1920],
imageSizes: [16, 32, 64, 128, 256],
qualities: [75, 90],
},
};Best Practices
- Pin `images.remotePatterns` to only the hostnames and path prefixes your application genuinely needs — every additional allowed source increases the variant space.
- Set `images.qualities` explicitly to the smallest set of quality values your design requires; the default includes many values that expand the cache attack surface.
- Add disk-usage monitoring/alerting on your server so unbounded growth (from any cause) is caught early.
- Keep Next.js on a supported minor version and subscribe to the Vercel security advisory feed (GitHub Security Advisories for `vercel/next.js`).
Found this in your infrastructure?
VulWall scans for this and dozens of other issues automatically.
Scan Your Domain Free