Platform
nodejs
Component
next
Fixed in
10.0
11.0
12.0
13.0
14.0
15.5.10
16.1.5
15.5.10
CVE-2025-59471 describes a Denial of Service (DoS) vulnerability affecting self-hosted Next.js applications. This vulnerability arises within the Image Optimizer component when remotePatterns are configured for external image sources. An attacker can exploit this by requesting the optimization of excessively large images, leading to out-of-memory errors and potential service disruption. Affected versions are those prior to 15.5.10, and a fix is available in version 15.5.10.
The primary impact of CVE-2025-59471 is a denial of service. An attacker who can control or serve a large image on a domain permitted by the remotePatterns configuration can trigger the vulnerability. The Next.js Image Optimizer endpoint (/_next/image) loads these external images entirely into memory without imposing size limits. By repeatedly requesting the optimization of very large images, an attacker can exhaust server memory, causing the Next.js application to become unresponsive or crash. This can disrupt service availability for legitimate users and potentially lead to further exploitation if the server is already under stress. The blast radius is limited to the affected Next.js application instance, but widespread adoption of Next.js means many deployments could be vulnerable.
This vulnerability is not currently listed on KEV. The EPSS score is likely low to medium, given the requirement for attacker control over an external image source and the need to configure remotePatterns. There are no publicly known proof-of-concept exploits at this time. The vulnerability was published on 2026-01-27.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59471 is to upgrade to Next.js version 15.5.10 or later. This version includes a fix that limits the size of images processed by the Image Optimizer, preventing the out-of-memory condition. If upgrading immediately is not feasible, consider temporarily restricting the remotePatterns configuration to only allow image optimization from trusted domains. Additionally, monitor server memory usage closely and implement resource limits to prevent a single process from consuming excessive memory. While a WAF or proxy cannot directly prevent this vulnerability, it can be configured to rate-limit requests to the /_next/image endpoint, potentially mitigating the impact of a DoS attack. After upgrading, confirm the fix by attempting to optimize a large image (e.g., > 100MB) and verifying that the server does not experience memory exhaustion.
Update Next.js to version 15.5.10 or 16.1.5 or later. This fixes the denial-of-service vulnerability in the Image Optimizer. Ensure that the `remotePatterns` configuration is as restrictive as possible to prevent image optimization from untrusted domains.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59471 is a Denial of Service vulnerability in Next.js applications that allows attackers to cause out-of-memory conditions by optimizing large images. It affects versions prior to 15.5.10.
You are affected if you are using a self-hosted Next.js application with remotePatterns configured for image optimization and are running a version prior to 15.5.10.
Upgrade to Next.js version 15.5.10 or later to mitigate the vulnerability. Temporarily restrict remotePatterns as a workaround if immediate upgrade is not possible.
There are currently no publicly known active exploitation campaigns targeting CVE-2025-59471, but it's crucial to apply the patch proactively.
Refer to the Next.js security advisories on their official website for detailed information and updates regarding CVE-2025-59471.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.