Vercel Next.js
cpe:2.3:a:vercel:next.js:*:*:*:*:node.js:*:*
- >= 10.0.0, < 16.1.7
A denial-of-service vulnerability exists in Next.js versions 10.0.0 through 16.1.6, related to unbounded disk cache growth in the default image optimization feature. The lack of a configurable upper limit allowed excessive cache accumulation, which could be exploited to exhaust available disk space. This issue has been addressed in Next.js version 16.1.7 by introducing an LRU-backed disk cache with a configurable maximum size, along with automatic eviction of least-recently-used entries when the limit is surpassed. Users can also disable disk caching by setting the maximumDiskCacheSize value to zero. If an immediate upgrade isn't feasible, it's recommended to manually clear the image cache directory or adjust image optimization settings to reduce cache usage.
Exploitation of this vulnerability could lead to a denial-of-service condition by filling up disk space, causing applications to fail or behave unexpectedly.
To reproduce this vulnerability, use Next.js versions 10.0.0 to 16.1.6. Generate a large number of unique image optimization requests, which will be cached without limit, eventually consuming all available disk space.
Upgrade to Next.js version 16.1.7 or later. If an immediate upgrade isn't possible, periodically clean the '.next/cache/images' directory and reduce the number of image optimization variants.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.