CVE-2025-59471
published 2026-01-26CVE-2025-59471: A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.44%
35.5th percentile
A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.
Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 10.0.0 < 15.5.10 | 15.5.10 |
| next | next | >= 15.6.0-canary.0 < 16.1.5 | 16.1.5 |
| vercel | next | >= 10.0 < 10.0 | 10.0 |
| vercel | next | >= 11.0 < 11.0 | 11.0 |
| vercel | next | >= 12.0 < 12.0 | 12.0 |
| vercel | next | >= 13.0 < 13.0 | 13.0 |
| vercel | next | >= 14.0 < 14.0 | 14.0 |
| vercel | next | >= 15.0 < 15.5.10 | 15.5.10 |
| vercel | next | >= 16.0 < 16.1.5 | 16.1.5 |
| vercel | next.js | >= 10.0.0 < 15.5.10 | 15.5.10 |
| vercel | next.js | >= 16.0.0 < 16.1.5 | 16.1.5 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
osv·2026-01-27
CVE-2025-59471 [MEDIUM] Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
A DoS vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.
Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.
GHSA
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
ghsa·2026-01-27
CVE-2025-59471 [MEDIUM] CWE-400 Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
A DoS vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.
Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.
Red Hat
next: NextJS Denial of Service in Image Optimizer
vendor_redhat·2026-01-26·CVSS 5.9
CVE-2025-59471 [MEDIUM] CWE-770 next: NextJS Denial of Service in Image Optimizer
next: NextJS Denial of Service in Image Optimizer
A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.
Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
A denial of service vulnerability exists in self-hoste
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-59471 icecat: NextJS Denial of Service in Image Optimizer [fedora-42]
bugzilla·2026-01-28·CVSS 7.5
CVE-2025-59471 [HIGH] CVE-2025-59471 icecat: NextJS Denial of Service in Image Optimizer [fedora-42]
CVE-2025-59471 icecat: NextJS Denial of Service in Image Optimizer [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'versio
Bugzilla
CVE-2025-59471 thunderbird: NextJS Denial of Service in Image Optimizer [fedora-42]
bugzilla·2026-01-28·CVSS 7.5
CVE-2025-59471 [HIGH] CVE-2025-59471 thunderbird: NextJS Denial of Service in Image Optimizer [fedora-42]
CVE-2025-59471 thunderbird: NextJS Denial of Service in Image Optimizer [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'v
Bugzilla
CVE-2025-59471 firefox: NextJS Denial of Service in Image Optimizer [fedora-42]
bugzilla·2026-01-28·CVSS 7.5
CVE-2025-59471 [HIGH] CVE-2025-59471 firefox: NextJS Denial of Service in Image Optimizer [fedora-42]
CVE-2025-59471 firefox: NextJS Denial of Service in Image Optimizer [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'versi
Wiz
CVE-2025-59471 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-59471 [MEDIUM] CVE-2025-59471 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59471 :
ASP.NET Core vulnerability analysis and mitigation
remotePatterns
/_next/image
remotePatterns
Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Source : NVD
## 7.5
Score
Published January 26, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
ASP.NET Core
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-sdk-7.0
dotnet-sdk-7.0-source-built-artifacts
Sources
NVD
Chainguard Has Fix Added at: Feb 10, 2026
npm Severity MEDIUM Has Fix Added at: Jan 28, 2026
Red Hat 7, 8, 9, 10 Severity MEDIUM No Fix Added
2026-01-26
Published