Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/next@15.5.14
purl pkg:npm/next@15.5.14
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-qz2s-22e2-ufg9 Next.js: Unbounded next/image disk cache growth can exhaust storage ## Summary The default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. ## Impact An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel. ## Patches Fixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. ## Workarounds If upgrade is not immediately possible: - Periodically clean `.next/cache/images`. - Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`) CVE-2026-27980
GHSA-3x4c-7xq6-9pq8

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-18T04:14:55.921630+00:00 GitLab Importer Fixing VCID-qz2s-22e2-ufg9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/next/CVE-2026-27980.yml 38.4.0
2026-04-02T17:01:10.839292+00:00 GHSA Importer Fixing VCID-qz2s-22e2-ufg9 https://github.com/advisories/GHSA-3x4c-7xq6-9pq8 38.1.0
2026-04-01T12:53:48.046961+00:00 GithubOSV Importer Fixing VCID-qz2s-22e2-ufg9 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3x4c-7xq6-9pq8/GHSA-3x4c-7xq6-9pq8.json 38.0.0