CVE-2026-44577

MEDIUM LAB

Next.js: Denial of Service in the Image Optimization API

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-44577. PoCs published by dwisiswant0, XZ1r0.

AI-analyzed exploit summary This repository contains functional proof-of-concept exploits for multiple CVEs in Next.js v16.2.4, including SSRF, XSS, and DoS vulnerabilities. The PoCs are well-documented with detailed write-ups, vulnerable code excerpts, and runnable exploit scripts.

Description

Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed). This vulnerability is fixed in 15.5.16 and 16.2.5.

Exploits (2)

github WORKING POC 127 stars

by dwisiswant0 · pythonpoc

https://github.com/dwisiswant0/next-16.2.4-pocs

View Code ZIP pw:eip

This repository contains functional proof-of-concept exploits for multiple CVEs in Next.js v16.2.4, including SSRF, XSS, and DoS vulnerabilities. The PoCs are well-documented with detailed write-ups, vulnerable code excerpts, and runnable exploit scripts.

Classification

Working Poc 95%

Attack Type

Ssrf | Xss | Dos | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Next.js v16.2.4

No auth needed

Prerequisites: Vulnerable Next.js v16.2.4 installation · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services T1059.007 - JavaScript T1189 - Drive-by Compromise T1499 - Endpoint Denial of Service T1078 - Valid Accounts

devstral-2 · analyzed May 13, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/next-16.2.4-pocs/poc/CVE-2026-44577_GHSA-h64f-5h5j-jqjh

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2026-44577, targeting a DoS vulnerability in Next.js versions < 16.2.5 via the `/_next/image` endpoint. The exploit demonstrates OOM (Out of Memory) by sending crafted requests with oversized image assets, leveraging a mock harness and real-world attack vectors.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Next.js < 16.2.5

No auth needed

Prerequisites: A vulnerable Next.js deployment or mock harness · Ability to send HTTP requests to the `/_next/image` endpoint

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed May 21, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh

Scores

CVSS v3 5.9

EPSS 0.0002

EPSS Percentile 5.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Lab Environment

COMMUNITY SUSPICIOUS

Community Lab

https://github.com/dwisiswant0/next-16.2.4-pocs

https://github.com/XZ1r0/cve-2026-poc-collection

View in Library

Details

CWE

CWE-770

Status published

Products (5)

npm/next 10.0.0 - 15.5.16npm

npm/next 16.0.0 - 16.2.5npm

vercel/next.js 10.0.0 - 15.5.16

vercel/next.js >= 10.0.0, < 15.5.16

vercel/next.js >= 16.0.0, < 16.2.5

Published May 13, 2026

Tracked Since May 13, 2026