CVE-2025-59471 is a denial of service (DoS) vulnerability in the Next.js framework's Image Optimizer feature when self-hosted and configured with remotePatterns to allow image optimization from external domains. The vulnerability stems from the image optimization endpoint (`/_next/image`) loading external images entirely into memory without enforcing a maximum size limit. This flaw allows an attacker to cause out-of-memory conditions by requesting the optimization of arbitrarily large images hosted on domains permitted by the remotePatterns configuration. Exploitation requires that the application’s remotePatterns setting includes external domains and that the attacker can serve or control large images on those domains. The vulnerability affects Next.js versions 10.0 through 16.0. The attack vector is network-based, requires no privileges or user interaction, but has high attack complexity due to the need to control large images on allowed domains. The impact is limited to availability, causing denial of service by exhausting server memory resources. No known exploits are currently in the wild. The recommended mitigation is to upgrade to Next.js versions 15.5.10 or 16.1.5, which implement protections against this memory exhaustion issue. This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption).

For European organizations, this vulnerability poses a risk of denial of service, potentially causing web application outages or degraded performance for services relying on self-hosted Next.js with the Image Optimizer configured to fetch images from external domains. This can disrupt business operations, customer access, and damage reputation. Organizations with high traffic or those serving large volumes of image content are particularly vulnerable to resource exhaustion attacks. The impact is availability-focused, with no direct compromise of confidentiality or integrity. Given the medium CVSS score and the requirement for specific configuration and attacker capabilities, the risk is moderate but significant for critical web services. Disruptions could affect e-commerce platforms, media sites, and any web services relying on Next.js image optimization, especially if no mitigations are applied.

1. Upgrade Next.js to version 15.5.10 or 16.1.5 or later, which include fixes to enforce maximum image size limits and prevent memory exhaustion. 2. Review and restrict the remotePatterns configuration to only trusted and necessary external domains to minimize exposure. 3. Implement network-level protections such as rate limiting and request size limits on the image optimization endpoint to reduce the risk of abuse. 4. Monitor application logs and resource usage for unusual spikes in memory consumption or image optimization requests. 5. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block requests for unusually large images or suspicious patterns targeting the image optimizer endpoint. 6. Educate development and operations teams about the risks of overly permissive remotePatterns configurations and enforce secure coding and deployment practices.