CVE-2025-59471: Next.js Image Optimizer DoS Vulnerability

CVE-2025-59471 Overview

A denial of service vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Critical Impact

Attackers can exhaust server memory by forcing the Next.js Image Optimizer to process arbitrarily large external images, causing application downtime and potential service disruption.

Affected Products

• Self-hosted Next.js applications with remotePatterns configured
• Next.js versions prior to 15.5.10
• Next.js versions prior to 16.1.5

Discovery Timeline

• 2026-01-26 - CVE CVE-2025-59471 published to NVD
• 2026-01-27 - Last updated in NVD database

Technical Details for CVE-2025-59471

Vulnerability Analysis

This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), which describes scenarios where an application fails to properly limit the resources consumed by an operation. In this case, the Next.js Image Optimizer endpoint lacks proper safeguards against processing excessively large images from external sources.

The /_next/image endpoint is designed to optimize images for better web performance. When remotePatterns is configured to allow external image sources, the optimizer fetches and processes these images. The critical flaw lies in the absence of a maximum size limit for incoming image data—the entire image is loaded into memory before any processing begins.

An attacker who can either control an image on an allowed domain or identify an existing large image on a permitted remote source can trigger memory exhaustion. By sending multiple concurrent requests to optimize extremely large images, the attacker can rapidly consume all available server memory, leading to application crashes and denial of service conditions.

Root Cause

The root cause of this vulnerability is the missing validation of image size before loading external images into memory. The Image Optimizer endpoint does not enforce a maximum file size limit for remote images specified via remotePatterns, allowing unbounded memory allocation when processing requests.

Attack Vector

The attack vector is network-based and does not require authentication. An attacker can exploit this vulnerability remotely by sending crafted requests to the /_next/image endpoint with URLs pointing to extremely large images on domains permitted by the remotePatterns configuration. The attacker must either control content on an allowed domain or identify existing large images that match the configured patterns. By sending multiple concurrent optimization requests for large images, memory resources can be exhausted, causing the application to become unresponsive or crash.

Detection Methods for CVE-2025-59471

Indicators of Compromise

• Unusual spikes in memory consumption on servers running Next.js applications
• Repeated requests to the /_next/image endpoint with external image URLs
• Application crashes or out-of-memory errors in server logs
• High volume of requests from single IP addresses targeting the image optimization endpoint

Detection Strategies

• Monitor server memory utilization and set alerts for abnormal consumption patterns
• Implement request rate limiting on the /_next/image endpoint
• Review access logs for suspicious patterns of external image optimization requests
• Deploy web application firewalls (WAF) with rules to detect and block abuse of image processing endpoints

Monitoring Recommendations

• Enable detailed logging for the /_next/image endpoint to track external image requests
• Set up memory threshold alerts to detect potential exploitation attempts before service degradation
• Monitor for repeated requests with URLs pointing to unusually large image files
• Implement anomaly detection for traffic patterns targeting the image optimization functionality

How to Mitigate CVE-2025-59471

Immediate Actions Required

• Upgrade to Next.js version 15.5.10 or 16.1.5 immediately to receive the security patch
• Review and restrict remotePatterns configuration to only trusted and necessary domains
• Implement rate limiting on the /_next/image endpoint to reduce exploitation impact
• Consider temporarily disabling remote image optimization if immediate patching is not possible

Patch Information

Vercel has released security patches in Next.js versions 15.5.10 and 16.1.5 that address this memory exhaustion vulnerability. Organizations should upgrade to these versions as soon as possible. For detailed information about the fix, refer to the GitHub Security Advisory.

Workarounds

• Restrict remotePatterns to only include trusted domains that you control
• Implement a reverse proxy with request body size limits in front of the Next.js application
• Deploy rate limiting at the infrastructure level to prevent abuse of the image endpoint
• Consider using a CDN with built-in image optimization to offload processing from the application server

# Example: Restrict remotePatterns in next.config.js to trusted domains only
# Review and minimize allowed domains in your configuration:
# remotePatterns: [
#   {
#     protocol: 'https',
#     hostname: 'your-trusted-domain.com',
#   },
# ]
# 
# Additionally, implement rate limiting via nginx:
# limit_req_zone $binary_remote_addr zone=image_limit:10m rate=10r/s;
# location /_next/image {
#     limit_req zone=image_limit burst=20 nodelay;
#     proxy_pass http://nextjs_backend;
# }