hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动

更新: 114 个文件 - 2026-03-19 16:45:07

浏览代码
这个提交包含在:
hao
2026-03-19 16:45:07 -07:00
父节点 2e67bff9a7
当前提交 49fe46ab89
修改 114 个文件,包含 6388 行新增1023 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

11
08-threat-intel/registry/advisories/nextjs--CVE-2026-27980.json
查看文件

@@ -5,15 +5,16 @@
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js: Unbounded next/image disk cache growth can exhaust storage",
"summary": "## Summary\nThe default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth.\n\n## Impact\nAn attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service.\n\n## Patches\nFixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Periodically clean `.next/cache/images`.\n- Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)",
"summary": "## Summary\nThe default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth.\n\n## Impact\nAn attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.\n\n## Patches\nFixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Periodically clean `.next/cache/images`.\n- Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)",
"published_at": "2026-03-17T16:17:06Z",
"updated_at": "2026-03-17T16:31:33.597080Z",
"updated_at": "2026-03-19T18:47:09.413134Z",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-27980",
"https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v16.1.7"
@@ -32,10 +33,12 @@
"GHSA-3x4c-7xq6-9pq8"
],
"affected_versions": [
"introduced=10.0.0, fixed<16.1.7"
"introduced=16.0.0-beta.0, fixed<16.1.7",
"introduced=10.0.0, fixed<15.5.14"
],
"fixed_versions": [
"16.1.7"
"16.1.7",
"15.5.14"
],
"package_name": "next",
"render_markdown": true,