CVE-2025-59471

Description

A DoS vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

How to fix CVE-2025-59471

To remediate CVE-2025-59471, upgrade the affected package to a fixed version below.

• —upgrade to 15.5.10 or later

Is CVE-2025-59471 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 10.0.0, < 15.5.10

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-59471
• PATCHgithub.com/vercel/next.js
• WEBgithub.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c
• WEBgithub.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec