CVE-2025-59471

MEDIUM

Next.js 10.0.0-15.5.9 - Denial of Service via Image Optimizer Remote Patterns

Title source: llm

Description

A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

References (1)

Core 1

Core References

Vendor Advisory

https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f

Scores

CVSS v3 5.9

EPSS 0.0044

EPSS Percentile 35.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (2)

npm/next 10.0.0 - 15.5.10npm

vercel/next.js 10.0.0 - 15.5.10

Published Jan 26, 2026

Tracked Since Feb 18, 2026