Next.js Image Optimizer Vulnerability (CVE-2025-59471) Exposes Self-Hosted Apps to DoS Attacks

A critical Denial-of-Service (DoS) vulnerability has been identified in self-hosted Next.js applications, exposing them to potential memory exhaustion attacks. The flaw, tracked as CVE-2025-59471, resides in the framework's Image Optimizer endpoint (`/_next/image`). When applications have `remotePatterns` configured, this endpoint fetches external images entirely into memory without imposing a maximum size limit. This oversight allows a malicious actor to trigger out-of-memory conditions by repeatedly requesting or crafting oversized image payloads, potentially crashing the application server.

The vulnerability specifically affects the Next.js framework, a popular React-based tool for building web applications, developed by Vercel. The security advisory was published via GitHub, and the issue is addressed in version 16.2.3. The update is classified as a security fix, prompting automated dependency management tools like RenovateBot to flag the pull request with a [SECURITY] tag. The patch moves applications from version 16.1.3 to 16.2.3, closing the security gap in the image optimization pipeline.

This vulnerability places significant operational risk on any organization running a self-hosted Next.js instance with image optimization enabled for external sources. The lack of a memory cap on ingested images creates a direct vector for resource exhaustion, making applications susceptible to downtime. Developers and DevOps teams must prioritize applying this update to mitigate the immediate risk of service disruption and ensure their application's resilience against targeted DoS attempts. The fix underscores the ongoing necessity of rigorous dependency management in modern software supply chains.