Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-59471

Good to know:

icon
icon

Date: January 26, 2026

A denial of service vulnerability exists in self-hosted Next.js applications that have "remotePatterns" configured for the Image Optimizer. The image optimization endpoint ("/_next/image") loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that "remotePatterns" is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

Severity Score

Related Resources (8)

https://github.com/vercel/next.js/releases/tag/v15.5.10
https://github.com/vercel/next.js/releases/tag/v16.1.5
https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c
https://nvd.nist.gov/vuln/detail/CVE-2025-59471
https://github.com/vercel/next.js
https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec
https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f
https://www.mend.io/vulnerability-database/CVE-2025-59471

Severity Score

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

icon

Upgrade Version

Upgrade to version next - 15.5.10;next - 16.1.5;next - 15.5.10;next - 16.1.5

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us