Vercel Next vulnerabilities
2 known vulnerabilities affecting vercel/next.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2
Vulnerabilities
Page 1 of 1
CVE-2025-59471P3HIGHCVSS 7.5≥ 10.0, < 10.0≥ 11.0, < 11.0+5 more2026-01-26
CVE-2025-59471 [HIGH] CWE-400 CVE-2025-59471: A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatter
A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization
nvd
CVE-2025-59472P3HIGHCVSS 7.5≥ 15.0.0-canary.0, < 15.0.0≥ 15.0.1-canary.0, < 15.0.1+58 more2026-01-26
CVE-2025-59472 [HIGH] CWE-400 CVE-2025-59472: A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the serv
nvd