Skip to content

Summaries of CVE-2025-59471 and CVE-2025-59472

Josh Story, ,
BlogChangelog

Two medium-severity denial-of-service vulnerabilities were discovered in self-hosted Next.js applications. Both issues can cause server crashes through memory exhaustion under specific configurations. No data exposure or privilege escalation is possible. 

Applications hosted on Vercel’s platform are not affected by these issues, and require no customer action.

Link to headingSummary

CVE-2025-59471 (CVSS 5.9) affects the Image Optimizer when external image optimization is enabled via remotePatterns. The /_next/image endpoint loads remote images fully into memory without enforcing a maximum size, allowing an attacker to trigger out-of-memory conditions using very large images hosted on an allowed domain.

CVE-2025-59472 (CVSS 5.9) affects applications with Partial Pre-Rendering (PPR) enabled in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests and processes attacker-controlled data, allowing memory exhaustion through unbounded request buffering or decompression.

Link to headingAffected Versions

CVE-2025-59471

  • Next.js versions >=10 through <15.5.10

  • Next.js versions >=16 through <16.1.5

CVE-2025-59472

  • Next.js versions >=15 through <15.6.0-canary.61

  • Next.js versions >=16 through <16.1.5

Link to headingImpact

Both vulnerabilities can cause the Node.js process to terminate due to memory exhaustion, resulting in application downtime.

CVE-2025-59471 requires external image optimization to be enabled and the attacker to control a large image hosted on an allowed domain.

CVE-2025-59472 only affects applications running with the experimental.ppr: true or cacheComponents: true configuration options and NEXT_PRIVATE_MINIMAL_MODE=1 as an environment variable.

Link to headingResolution

Fixed in:

  • 15.5.10

  • 15.6.0-canary.61

  • 16.1.5

  • 16.2.0-canary.9

Workaround:

For self-hosted deployments unable to upgrade immediately:

  • Restrict or remove untrusted remotePatterns

  • Disable Partial Pre-Rendering or minimal mode

  • Apply strict request size limits at the reverse proxy layer

Link to headingCredit

We thank Andrew MacPherson for their responsible disclosure through our bug bounty program.

Link to headingReferences

Ready to deploy?

Start DeployingTalk to an Expert