CVE-2025-59471 is a denial of service (DoS) vulnerability in the Next.js framework's Image Optimizer component when configured with remotePatterns to allow image optimization from external domains. The vulnerability exists because the endpoint `/_next/image` loads the entire external image into memory without enforcing a maximum size limit. An attacker who can serve or control a large image on an allowed domain can exploit this by requesting the optimization of arbitrarily large images, causing the server to consume excessive memory and potentially crash or become unresponsive due to out-of-memory conditions. This flaw affects self-hosted Next.js applications running versions 10.0 through 16.0 that have remotePatterns configured for external image domains. The attack vector is network-based and does not require authentication or user interaction, but the attacker must be able to serve large images from domains permitted by the remotePatterns configuration. The vulnerability has a CVSS 3.1 score of 5.9, reflecting a medium severity with a high impact on availability but no impact on confidentiality or integrity. The recommended mitigation is to upgrade to Next.js versions 15.5.10 or 16.1.5, which include fixes to enforce size limits or otherwise prevent this memory exhaustion. No known exploits have been reported in the wild, but the vulnerability poses a risk of service disruption for affected deployments, especially those exposed to untrusted networks and allowing external image optimization.

For European organizations, this vulnerability primarily threatens the availability of web applications built with vulnerable Next.js versions that use the Image Optimizer with remotePatterns configured for external domains. An attacker could cause denial of service by forcing the server to load very large images into memory, leading to crashes or degraded performance. This could disrupt customer-facing websites or internal applications, resulting in downtime, loss of user trust, and potential financial impact. Organizations relying on Next.js for critical services or high-traffic sites are particularly at risk. Since the vulnerability does not affect confidentiality or integrity, data breaches are unlikely, but service interruptions could affect business continuity. The risk is higher for organizations that allow image optimization from multiple or untrusted external domains and have not applied the recommended patches. Given the medium CVSS score and no authentication required, the threat is moderate but should be addressed promptly to avoid availability issues.

1. Upgrade Next.js to version 15.5.10 or 16.1.5 or later, which contain fixes to prevent this vulnerability. 2. Review and restrict the remotePatterns configuration to only allow trusted and necessary external domains for image optimization, minimizing exposure. 3. Implement network-level protections such as rate limiting or web application firewalls (WAFs) to detect and block abnormal requests to the `/_next/image` endpoint, especially those requesting unusually large images. 4. Monitor application logs and resource usage for signs of memory exhaustion or unusual image optimization requests. 5. If upgrading immediately is not feasible, consider disabling external image optimization temporarily or enforcing size limits at the application or proxy level to prevent large image processing. 6. Educate development and operations teams about the risk and ensure secure configuration management to avoid overly permissive remotePatterns settings.