CVE-2025-59471
MEDIUM5.9EPSS 0.04%Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
Description
A DoS vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.
Affected packages (1)
- npm/next>= 10.0.0, < 15.5.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-59471
- PATCHhttps://github.com/vercel/next.js
- WEBhttps://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c
- WEBhttps://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec
- WEBhttps://github.com/vercel/next.js/releases/tag/v15.5.10
- WEBhttps://github.com/vercel/next.js/releases/tag/v16.1.5
- WEBhttps://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f