2433094 – (CVE-2025-59471) CVE-2025-59471 next: NextJS Denial of Service in Image Optimizer

Bug 2433094 (CVE-2025-59471) - CVE-2025-59471 next: NextJS Denial of Service in Image Optimizer

Summary: CVE-2025-59471 next: NextJS Denial of Service in Image Optimizer

Keywords:
Status:	NEW
Alias:	CVE-2025-59471
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2434149 2434151 2434154 2434156 2434161 2434164 2434166 2434168 2434169 2434141 2434144 2434146 2434159
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-26 22:02 UTC by OSIDB Bzimport
Modified:	2026-01-28 18:52 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-26 22:02:09 UTC

A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

Note You need to log in before you can comment on or make changes to this bug.