Allocation of Resources Without Limits or Throttling Affecting next package, versions >=10.0.0 <15.5.16>=16.0.0-beta.0 <16.2.5
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-NEXT-16638680
- published11 May 2026
- disclosed11 May 2026
- creditUnknown
Introduced: 11 May 2026
NewCVE-2026-44577 (opens in a new tab)How to fix?
Upgrade next to version 15.5.16, 16.2.5 or higher.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Image Optimization API when handling requests to the /_next/image endpoint that match the images.localPatterns configuration. An attacker can exhaust server memory and cause a denial of service by requesting large local assets, leading to out-of-memory conditions.
Note: This is only exploitable if the default image loader is used and the images.localPatterns configuration allows access to large local files.
Workaround
This vulnerability can be mitigated by disabling routing of large local assets through /_next/image, disabling image optimization for large or untrusted local files, blocking image optimization access to those assets at the edge, or setting images.localPatterns: [] in the configuration.