7.5

CVE-2025-59471

EPSS 0.03%
Veröffentlicht 26.01.2026 21:43:05
Zuletzt bearbeitet 13.02.2026 15:03:20
Quelle support@hackerone.com
CVE-Watchlists
Login
Unerledigt
Login

A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vercel ≫ Next.Js SwPlatformnode.js Version >= 10.0.0 < 15.5.10

Vercel ≫ Next.Js SwPlatformnode.js Version >= 16.0.0 < 16.1.5

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.077

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
support@hackerone.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-59471

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-59471

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-59471

EUVD