CVE-2025-59471

State: PUBLISHED · Published: 2026-01-26 · Updated: 2026-01-27 · Assigner: hackerone

Description

A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

CWE

CWE-400 — CWE-400 Uncontrolled Resource Consumption

Affected

vercel / next — v=10.0 <10.0 [affected]; v=11.0 <11.0 [affected]; v=12.0 <12.0 [affected]; v=13.0 <13.0 [affected]; v=14.0 <14.0 [affected]; v=15.0 <15.5.10 [affected]; v=16.0 <16.1.5 [affected]

CVSS

3.1 score=5.9 severity=MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f

Source

cvelistV5-main/cves/2025/59xxx/CVE-2025-59471.json