DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-59471: Next.js Image Optimizer: The 4GB Hello World

#security #cve #cybersecurity

Next.js Image Optimizer: The 4GB Hello World

Vulnerability ID: CVE-2025-59471
CVSS Score: 5.9
Published: 2026-01-27

The Next.js Image Optimization API, a beloved feature for frontend performance, contained a fatal resource handling flaw. By requesting the optimization of a massive external image, an attacker could force the server to buffer the entire file into memory before validation, leading to immediate process termination (OOM).

TL;DR

The /_next/image endpoint used res.arrayBuffer() to fetch upstream images, loading the entire file into RAM. An attacker can host a multi-gigabyte image on a whitelisted domain, request it via the optimizer, and instantly crash the Node.js process via Out-Of-Memory (OOM). Fixed in 15.5.10 and 16.1.5 by implementing streaming size checks.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400 (Uncontrolled Resource Consumption)
  • CVSS Score: 5.9 (Medium)
  • Attack Vector: Network
  • Impact: Availability (High)
  • Vulnerable Function: fetchExternalImage / res.arrayBuffer()
  • Fix Implementation: Streaming Byte Counter

Affected Systems

  • Next.js Self-hosted Applications
  • Next.js: >= 10.0.0, <= 15.5.9 (Fixed in: 15.5.10)
  • Next.js: >= 16.0.0, <= 16.1.4 (Fixed in: 16.1.5)

Code Analysis

Commit: 1caaca3

Implementation of streaming byte counter and limit enforcement

- const buffer = Buffer.from(await res.arrayBuffer());
+ for await (const chunk of res.body) { ... }
Enter fullscreen mode Exit fullscreen mode

Commit: 500ec83

Reduction of default maximumResponseBody from 300MB to 50MB

- maximumResponseBody = 300 * 1024 * 1024
+ maximumResponseBody = 50 * 1024 * 1024
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: The advisory describes triggering OOM by requesting large images from allowed remotePatterns.

Mitigation Strategies

  • Update Next.js to patched versions (15.5.10+ or 16.1.5+)
  • Configure 'images.maximumResponseBody' to a conservative limit (e.g., 5MB)
  • Isolate Image Optimization into a separate microservice
  • Restrict 'remotePatterns' to strictly trusted, controlled domains

Remediation Steps:

  1. Run 'npm install next@latest' or 'yarn upgrade next'
  2. Verify version is >= 15.5.10 or >= 16.1.5
  3. Open 'next.config.js'
  4. Add 'maximumResponseBody' to the 'images' configuration object
  5. Deploy and monitor memory usage graphs

References

Read the full report for CVE-2025-59471 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)