CVE-2025-59471
Denial of Service vulnerability in next (npm)
What is CVE-2025-59471 About?
This Denial of Service (DoS) vulnerability in self-hosted Next.js applications with configured `remotePatterns` for the Image Optimizer can lead to out-of-memory conditions. It is caused by the image optimization endpoint loading arbitrarily large external images into memory without size limits, making exploitation relatively easy for an attacker who can control a large image on an allowed domain.
Affected Software
- next
- >=15.6.0-canary.0, <16.1.5
- >=10.0.0, <15.5.10
Technical Details
The DoS vulnerability specifically impacts self-hosted Next.js applications where remotePatterns have been configured for the Image Optimizer. The image optimization endpoint, typically accessed via /_next/image, is designed to process and optimize images. However, when an external image from an allowed domain (as defined by remotePatterns) is requested for optimization, the vulnerable component loads the entire image into memory. Critically, it does so without enforcing any maximum size limit. An attacker can exploit this by serving or controlling an extremely large image on a domain permitted by the remotePatterns configuration, then requesting the Next.js Image Optimizer to process this image. This action forces the application to allocate an excessive amount of memory, leading to an out-of-memory condition and effectively causing a Denial of Service.
What is the Impact of CVE-2025-59471?
Successful exploitation may allow attackers to trigger out-of-memory conditions, leading to a Denial of Service and making the affected Next.js application unavailable to legitimate users.
What is the Exploitability of CVE-2025-59471?
Exploitation requires the Next.js application to be self-hosted and have remotePatterns configured to allow image optimization from external domains. The attacker must control or be able to serve an arbitrarily large image from one of these allowed domains. The attack involves making a remote request to the Image Optimizer endpoint (/_next/image). No authentication or special privileges are required. The complexity is low, primarily revolving around identifying target applications and hosting a large image. The likelihood of exploitation is increased if the remotePatterns configuration is overly broad, encompassing many external domains, and if the application is publicly accessible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-59471?
Available Upgrade Options
- next
- >=10.0.0, <15.5.10 → Upgrade to 15.5.10
- next
- >=15.6.0-canary.0, <16.1.5 → Upgrade to 16.1.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/vercel/next.js
- https://github.com/vercel/next.js/releases/tag/v15.5.10
- https://osv.dev/vulnerability/GHSA-9g9p-9gw9-jx7f
- https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c
- https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec
- https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f
- https://github.com/vercel/next.js/releases/tag/v16.1.5
- https://nvd.nist.gov/vuln/detail/CVE-2025-59471
- https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f
What are Similar Vulnerabilities to CVE-2025-59471?
Similar Vulnerabilities: CVE-2023-24883 , CVE-2022-21877 , CVE-2021-38076 , CVE-2021-27905 , CVE-2020-29361
