CVE-2025-59471: Next.js Image Optimizer Vulnerability Causes Denial-of-Service

Next.js Image Optimizer: The 4GB Hello World

The Next.js Image Optimization API, intended to improve frontend performance, contained a critical resource handling flaw. A malicious actor could trigger an Out-Of-Memory (OOM) error and crash the server by requesting the optimization of a very large, external image.

Why This Matters

Ideal models assume well-behaved inputs, but real-world systems are vulnerable to abuse. This vulnerability illustrates how unchecked resource consumption can lead to denial-of-service even in seemingly innocuous features; a multi-gigabyte image could halt a production Next.js application, causing significant downtime and potential financial loss.

Key Insights

• CVSS Score: 5.9 (Medium), 2026-01-27: Reflects the moderate risk posed by the vulnerability, impacting availability.
• CWE-400: Uncontrolled Resource Consumption: Highlights the core issue of allowing an external entity to control server resource usage.
• Streaming Byte Counter: A key mitigation implemented via commits 1caaca3 and 500ec83, replacing res.arrayBuffer() with a streaming approach.

Working Example

// next.config.js
module.exports = {
  images: {
    remotePatterns: [
      {
        protocol: 'https',
        hostname: 'example.com',
      },
    ],
    maximumResponseBody: 50 * 1024 * 1024, // 50MB limit
  },
};

Practical Applications

• Shopify: Could have been targeted with large images hosted on CDNs to disrupt the platform.
• Pitfall: Using overly permissive remotePatterns without size limits allows attackers to easily exploit vulnerabilities like this.

References:

• https://dev.to/cverports/cve-2025-59471-nextjs-image-optimizer-the-4gb-hello-world-5c09