Next.js 15 Security Update Patches Critical DoS Vulnerability in Image Optimizer (CVE-2025-59471)

A critical Denial-of-Service (DoS) vulnerability has been patched in the latest major release of Next.js, forcing a mandatory security update for self-hosted applications. The flaw, tracked as CVE-2025-59471, resides in the framework's Image Optimizer and exposes applications with configured `remotePatterns` to potential resource exhaustion attacks. This is not a theoretical risk; the vulnerability allows an attacker to trigger the endpoint to load external images entirely into memory without any size or resource limits, creating a direct path to crash or severely degrade application performance.

The security advisory from Vercel, the company behind Next.js, details that the vulnerability specifically affects the `/_next/image` optimization endpoint. When an application defines `remotePatterns` to allow image fetching from external sources, the endpoint fails to enforce memory constraints on the loaded images. This oversight means a malicious actor could repeatedly request or force the loading of very large external images, consuming all available memory on the host server and leading to a complete service outage.

The fix is included in the jump from Next.js version 14 to version 15, as highlighted by an automated dependency update pull request. The urgency of this update is underscored by its classification as a GitHub Security Advisory. For development teams, this creates immediate operational pressure: failing to merge this update leaves production applications vulnerable to a simple yet effective attack vector that targets a core, frequently-used feature of the framework. The patch represents a critical infrastructure maintenance task that cannot be deferred without accepting significant availability risk.