CVEFinder.io

CVE-2025-59471

🔶 medium
🔍 Scan for this CVE
Summary

A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and

Description

A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

CVSS Score
5.9
Medium
EPSS Score
0.1
Exploit Probability
Published Date
2026-01-26
First Seen: 2026-01-28
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 33.3% of all 317,883 vulnerabilities in our database.

#212,185
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Jan 27, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-02-13
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE IDs (Weakness Types)
CWE-400

📦 Affected Products 2

Vendor Product Status Affected Versions
vercel next.js Affected
> 10.0.0 < 15.5.10
vercel next.js Affected
> 16.0.0 < 16.1.5

🔗 References 1

https://github.com/vercel/next.js/security/advisorie...
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-27977 🔶 medium 5.4 0.0 Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1... 2026-03-18
CVE-2026-27978 🔶 medium 4.3 0.0 Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1... 2026-03-18
CVE-2026-27979 ⚠️ high 7.5 0.0 Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1... 2026-03-18
CVE-2026-27980 ⚠️ high 7.5 0.0 Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 1... 2026-03-18
CVE-2026-29057 🔶 medium 6.5 0.1 Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 1... 2026-03-18
CVE-2025-59472 🔶 medium 5.9 0.1 A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in min... 2026-01-26
These CVEs affect the same products