Next.js versions from 10.0.0 up to but not including 15.5.16, and from 16.0.0 up to but not including 16.2.5, contain a resource allocation vulnerability (CWE-770) in the default image loader. Specifically, the Image Optimization API loads local images entirely into memory without limiting the maximum size. Attackers can exploit this by requesting large local images matching the images.localPatterns configuration, potentially causing out-of-memory conditions on the server. This vulnerability has a CVSS 3.1 base score of 5.9, indicating medium severity, with network attack vector, high attack complexity, no privileges required, no user interaction, and impact limited to availability (denial of service). The vulnerability is addressed in Next.js versions 15.5.16 and 16.2.5.

Successful exploitation of this vulnerability can cause denial of service by exhausting server memory resources when processing large local images through the Image Optimization API. There is no impact on confidentiality or integrity. No known exploits are reported in the wild at this time.

This vulnerability is fixed in Next.js versions 15.5.16 and 16.2.5. Users self-hosting Next.js with the default image loader should upgrade to one of these versions or later to remediate the issue. Patch status is confirmed by the version fixes noted in the description. No vendor advisory content was provided to indicate alternative mitigations or temporary fixes.