CVE-2025-59471

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Next.js versions prior to 15.5.10 Next.js versions prior to 16.1.5

Description A denial of service issue exists in self-hosted Next.js applications utilizing the Image Optimizer with configured remotePatterns. The image optimization endpoint (/ next/image) loads external images completely into memory without a size restriction, potentially leading to out-of-memory conditions when processing excessively large images. Exploitation requires that remotePatterns is configured to permit image optimization from external domains and the attacker's ability to serve or control a large image on an allowed domain.

Recommendations Upgrade to Next.js version 15.5.10 or later. Upgrade to Next.js version 16.1.5 or later.

Fix

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-409CWE-770CWE-400

Related Identifiers

CVE-2025-59471

GHSA-5F7Q-JPQC-WP7H

GHSA-9G9P-9GW9-JX7F

Affected Products

Next.Js

CVE-2025-59471

Weakness Enumeration

Related Identifiers

Affected Products

References · 18