CVE-2026-27980 is a resource exhaustion vulnerability classified under CWE-400 affecting the Next.js framework, specifically its image optimization disk cache feature introduced in version 10.0.0. The default cache located at `/_next/image` did not impose any configurable limit on disk usage, allowing unbounded growth. Attackers can exploit this by requesting many unique image optimization variants, each cached separately, causing the disk cache to expand indefinitely. This unbounded cache growth can consume all available disk space on the server, resulting in denial of service due to resource exhaustion. The vulnerability does not require authentication or user interaction and can be triggered remotely over the network. The fix, introduced in Next.js 16.1.7, adds an LRU (Least Recently Used) cache mechanism with a configurable maximum disk cache size (`images.maximumDiskCacheSize`) that evicts the least recently used entries when the limit is reached. Setting this value to zero disables disk caching entirely. For environments where immediate upgrading is not feasible, administrators are advised to periodically clean the `.next/cache/images` directory and reduce the cardinality of image variants by tightening configuration parameters such as `images.localPatterns`, `images.remotePatterns`, and `images.qualities`. This vulnerability impacts any web application using the affected Next.js versions with image optimization enabled, potentially leading to service outages and degraded user experience.

The primary impact of this vulnerability is denial of service caused by disk space exhaustion on servers running vulnerable Next.js versions. Organizations hosting web applications with image optimization enabled are at risk of service disruption if an attacker floods the cache with numerous unique image requests. This can lead to application downtime, degraded performance, and potential loss of revenue or user trust. Since the exploit requires no authentication or user interaction, it can be executed by any remote attacker, increasing the risk of opportunistic or targeted attacks. The vulnerability could also indirectly affect other services on the same server if disk space is fully consumed, potentially impacting broader infrastructure. Organizations relying heavily on Next.js for public-facing applications, especially those with high traffic or image-heavy content, are particularly vulnerable. Although no known exploits are reported in the wild yet, the ease of exploitation and potential impact warrant prompt mitigation.

To mitigate this vulnerability, organizations should upgrade Next.js to version 16.1.7 or later, which includes the fix with an LRU-backed disk cache and configurable maximum disk cache size. If immediate upgrading is not possible, administrators should implement the following measures: 1) Regularly schedule automated or manual cleanup of the `.next/cache/images` directory to prevent uncontrolled cache growth. 2) Reduce the number of unique image variants generated by tightening configuration settings such as `images.localPatterns`, `images.remotePatterns`, and `images.qualities` to limit variant cardinality. 3) Consider disabling disk caching by setting `images.maximumDiskCacheSize` to zero if caching is not critical for performance. 4) Monitor disk usage closely on servers running vulnerable versions to detect abnormal growth early. 5) Implement rate limiting or request filtering on image optimization endpoints to prevent abuse by excessive unique requests. These steps help contain the risk until a full upgrade can be performed.