VulnerableCode Package Details - pkg:npm/next@15.5.13

Search for packages

Vulnerability	Summary	Fixed by
VCID-qz2s-22e2-ufg9 Aliases: CVE-2026-27980 GHSA-3x4c-7xq6-9pq8	Next.js: Unbounded next/image disk cache growth can exhaust storage ## Summary The default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. ## Impact An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel. ## Patches Fixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. ## Workarounds If upgrade is not immediately possible: - Periodically clean `.next/cache/images`. - Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)	15.5.14 Affected by 0 other vulnerabilities. 15.6.0-canary.0 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 16.1.7 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-qz2s-22e2-ufg9
Aliases:
CVE-2026-27980
GHSA-3x4c-7xq6-9pq8

Next.js: Unbounded next/image disk cache growth can exhaust storage ## Summary The default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. ## Impact An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel. ## Patches Fixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. ## Workarounds If upgrade is not immediately possible: - Periodically clean `.next/cache/images`. - Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)

15.5.14
Affected by 0 other vulnerabilities.

15.6.0-canary.0
Affected by 5 other vulnerabilities.

16.1.7
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-5kj1-stm6-8qgv	Next.js: HTTP request smuggling in rewrites ## Summary When Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. ## Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. ## Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. ## Workarounds If upgrade is not immediately possible: - Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our [security guidance](https://nextjs.org/docs/app/guides/data-security).	CVE-2026-29057 GHSA-ggv3-7p47-pfv8

Vulnerability

Summary

Aliases

VCID-5kj1-stm6-8qgv

Next.js: HTTP request smuggling in rewrites ## Summary When Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. ## Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. ## Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. ## Workarounds If upgrade is not immediately possible: - Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our [security guidance](https://nextjs.org/docs/app/guides/data-security).

CVE-2026-29057
GHSA-ggv3-7p47-pfv8

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-19T18:06:16.280726+00:00	GitLab Importer	Affected by	VCID-qz2s-22e2-ufg9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/next/CVE-2026-27980.yml	38.4.0
2026-04-18T04:14:56.830939+00:00	GitLab Importer	Fixing	VCID-5kj1-stm6-8qgv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/next/CVE-2026-29057.yml	38.4.0
2026-04-02T17:01:10.930409+00:00	GHSA Importer	Fixing	VCID-5kj1-stm6-8qgv	https://github.com/advisories/GHSA-ggv3-7p47-pfv8	38.1.0
2026-04-01T12:53:44.649656+00:00	GithubOSV Importer	Fixing	VCID-5kj1-stm6-8qgv	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-ggv3-7p47-pfv8/GHSA-ggv3-7p47-pfv8.json	38.0.0