Plataforma
nodejs
Componente
next
Corrigido em
10.0
11.0
12.0
13.0
14.0
15.5.10
16.1.5
15.5.10
CVE-2025-59471 describes a Denial of Service (DoS) vulnerability affecting self-hosted Next.js applications. This vulnerability arises within the Image Optimizer component when remotePatterns are configured for external image sources. An attacker can exploit this by requesting the optimization of excessively large images, leading to out-of-memory errors and potential service disruption. Affected versions are those prior to 15.5.10, and a fix is available in version 15.5.10.
The primary impact of CVE-2025-59471 is a denial of service. An attacker who can control or serve a large image on a domain permitted by the remotePatterns configuration can trigger the vulnerability. The Next.js Image Optimizer endpoint (/_next/image) loads these external images entirely into memory without imposing size limits. By repeatedly requesting the optimization of very large images, an attacker can exhaust server memory, causing the Next.js application to become unresponsive or crash. This can disrupt service availability for legitimate users and potentially lead to further exploitation if the server is already under stress. The blast radius is limited to the affected Next.js application instance, but widespread adoption of Next.js means many deployments could be vulnerable.
This vulnerability is not currently listed on KEV. The EPSS score is likely low to medium, given the requirement for attacker control over an external image source and the need to configure remotePatterns. There are no publicly known proof-of-concept exploits at this time. The vulnerability was published on 2026-01-27.
Organizations using self-hosted Next.js applications with remotePatterns configured for image optimization are at risk. This includes developers who have enabled image optimization from external domains and have not yet upgraded to a patched version. Shared hosting environments running Next.js applications are also potentially vulnerable if they lack control over the application's configuration.
• nodejs / server:
ps aux | grep '_next/image'• nodejs / server:
journalctl -u node -f | grep "Image Optimizer" -i• generic web:
curl -I https://your-nextjs-app.com/_next/image?width=1000000&quality=100(Check for unusually long response times or errors indicating memory issues)
disclosure
Status do Exploit
EPSS
0.03% (percentil 7%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-59471 is to upgrade to Next.js version 15.5.10 or later. This version includes a fix that limits the size of images processed by the Image Optimizer, preventing the out-of-memory condition. If upgrading immediately is not feasible, consider temporarily restricting the remotePatterns configuration to only allow image optimization from trusted domains. Additionally, monitor server memory usage closely and implement resource limits to prevent a single process from consuming excessive memory. While a WAF or proxy cannot directly prevent this vulnerability, it can be configured to rate-limit requests to the /_next/image endpoint, potentially mitigating the impact of a DoS attack. After upgrading, confirm the fix by attempting to optimize a large image (e.g., > 100MB) and verifying that the server does not experience memory exhaustion.
Actualice Next.js a la versión 15.5.10 o 16.1.5 o superior. Esto corrige la vulnerabilidad de denegación de servicio en el Image Optimizer. Asegúrese de que la configuración `remotePatterns` sea lo más restrictiva posible para evitar la optimización de imágenes desde dominios no confiables.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-59471 is a Denial of Service vulnerability in Next.js applications that allows attackers to cause out-of-memory conditions by optimizing large images. It affects versions prior to 15.5.10.
You are affected if you are using a self-hosted Next.js application with remotePatterns configured for image optimization and are running a version prior to 15.5.10.
Upgrade to Next.js version 15.5.10 or later to mitigate the vulnerability. Temporarily restrict remotePatterns as a workaround if immediate upgrade is not possible.
There are currently no publicly known active exploitation campaigns targeting CVE-2025-59471, but it's crucial to apply the patch proactively.
Refer to the Next.js security advisories on their official website for detailed information and updates regarding CVE-2025-59471.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.