Next.js Image Optimizer Vulnerability (CVE-2025-59471) Exposes Self-Hosted Apps to DoS Attacks

A critical Denial-of-Service (DoS) vulnerability has been identified in self-hosted Next.js applications, allowing attackers to crash servers by exploiting the framework's image optimization endpoint. The flaw, tracked as CVE-2025-59471, resides in the `/_next/image` endpoint. When an application has `remotePatterns` configured for its Image Optimizer, the system loads external images entirely into memory without enforcing a maximum size limit. This oversight enables a malicious actor to trigger out-of-memory conditions, effectively rendering the application unresponsive.

The vulnerability specifically affects the `next` package, prompting an urgent security update from version 16.0.10 to 16.1.7. The update, managed via the Renovate dependency bot, is flagged as a security patch. The core issue is that the image optimization process fetches external resources based on configured `remotePatterns` but fails to implement safeguards against excessively large files, creating a direct vector for resource exhaustion attacks.

This security advisory, published by Vercel, places immediate pressure on development and DevOps teams managing self-hosted Next.js deployments. Organizations must apply the patch promptly to mitigate the risk of service disruption. The vulnerability underscores the persistent security challenges in modern web frameworks where performance-focused features, like image optimization, can inadvertently introduce critical attack surfaces if not paired with robust input validation and resource limits.