CVE-2026-44577: Next.js has a Denial of Service in the Image Optimization API

May 11, 2026 (updated May 14, 2026)

When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed).

If you are using images.localPatterns, only the patterns in that array are impacted.
If you are using images.unoptimized: true, you are NOT impacted.
If you are using images.loader: 'custom', you are NOT impacted.
If you are using Vercel, you are NOT impacted.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-44577 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →