cbcvebase.
CVE-2025-59471
published 2026-01-26

CVE-2025-59471: A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image…

PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.44%
35.5th percentile
A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

Affected

11 ranges
VendorProductVersion rangeFixed in
nextnext>= 10.0.0 < 15.5.1015.5.10
nextnext>= 15.6.0-canary.0 < 16.1.516.1.5
vercelnext>= 10.0 < 10.010.0
vercelnext>= 11.0 < 11.011.0
vercelnext>= 12.0 < 12.012.0
vercelnext>= 13.0 < 13.013.0
vercelnext>= 14.0 < 14.014.0
vercelnext>= 15.0 < 15.5.1015.5.10
vercelnext>= 16.0 < 16.1.516.1.5
vercelnext.js>= 10.0.0 < 15.5.1015.5.10
vercelnext.js>= 16.0.0 < 16.1.516.1.5

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.