DEV Community

Cover image for Understanding CVE-2025-59471: Out-of-Memory DoS in Next.js
Devam Chaudhari
Devam Chaudhari

Posted on

Understanding CVE-2025-59471: Out-of-Memory DoS in Next.js

#nextjs #webdev #security

If you are running Next.js in a self-hosted environment and have configured remotePatternsfor image optimization, a newly disclosed vulnerability (CVE-2025-59471) could put your application's availability at risk.

This vulnerability allows an attacker to trigger a Denial of Service (DoS) by exhausting your server's memory.

The Vulnerability: Uncontrolled Resource Consumption (CWE-400)

The Next.js Image Optimization endpoint (/_next/image) is designed to resize images from allowed external domains.

The Root Cause

The vulnerability exists because the Image Optimizer loads external images entirely into memory without enforcing a maximum size limit.

An attacker can exploit this by:

  1. Identifying a domain you have whitelisted in your remotePatterns.
  2. Hosting an extremely large image file on that domain (or gaining control of a path on that domain).
  3. Requesting that large image through your /_next/image endpoint.

Because the server attempts to pull the entire large file into RAM to process it, it can trigger an Out-of-Memory (OOM) condition, causing your Node.js process to crash and take your site offline.

You are at risk if:

  1. You are self-hosting (the vulnerability does not affect Vercel's managed infrastructure).
  2. You have images.remotePatterns configured in next.config.js.
  3. You are running one of the following versions:
    • Next.js 10.0.0 through 15.5.9
    • Next.js 15.6.0-canary.0 through 16.1.4

How to Fix It

The official fix involves upgrading to versions where Next.js now enforces limits on the resources consumed during optimization.

1 . Update your dependencies immediately
Update your project to the first patched versions or higher:

  • Next.js 15.x: Upgrade to v15.5.10
  • Next.js 16.x (Canary/Pre-release): Upgrade to v16.1.5 
npm install next@15.5.10
# or
yarn add next@15.5.10
Enter fullscreen mode Exit fullscreen mode

2 . Audit your remotePatterns

As a security best practice, ensure your remotePatterns are as specific as possible. Avoid using broad wildcards that might allow an attacker to serve large images from unexpected subdomains of a trusted provider.

Top comments (0)