Fluid Attacks Database

Description

A flaw was found in Next.js. When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. A remote attacker could exploit this by requesting large local assets from the /_next/image endpoint. This can lead to out-of-memory conditions, resulting in a Denial of Service (DoS) for the application.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	next	>=10.0.0 <15.5.16 \|\| >=16.0.0 <16.2.5	15.5.16, 16.2.5
rpm rhel7	firefox	-	-
rpm rhel8	firefox	-	-
rpm rhel10	thunderbird	-	-
rpm rhel8	thunderbird	-	-
rpm rhel10	firefox	-	-
rpm rhel9	firefox	-	-
rpm rhel9	thunderbird	-	-

Aliases

1. CVE-2026-445772. NVD-2026-445773. OSV-2026-445774. GHSA-h64f-5h5j-jqjh5. GCVE-2026-44577

References

1. https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh2. https://github.com/vercel/next.js/releases/tag/v15.5.163. https://github.com/vercel/next.js/releases/tag/v16.2.5