VulWall Team March 19, 2026 4 min read

Outdated Next.js Version Can Be Used to Slow Down or Crash Your Website

Your website is running an older version of Next.js (a popular web framework) that has a known weakness in how it handles images. An attacker could repeatedly trigger the image processing feature in a way that overloads your server, making your site slow or temporarily unavailable. Upgrading to the latest version closes this gap.

OWASP A05 Effort: small Exploitable
cve dos denial-of-service nextjs image-optimization cpu-exhaustion uncontrolled-recursion cwe-674

Business Impact And Actions

medium urgency

Business Impact

If exploited, your website could become slow or unresponsive for real visitors — meaning lost sales, a poor customer experience, and potential SLA breaches if you have uptime commitments. This is not a data breach risk, but prolonged downtime can damage customer trust and, depending on your industry, may be flagged in compliance reviews.

What To Do

  1. Ask your developer to upgrade Next.js to version 14.2.7 or later — this is the official fix and is typically a straightforward update.
  2. If an immediate upgrade isn't possible, ask your developer to add a one-line setting to your site's configuration file (next.config.js) to disable the built-in image optimizer as a temporary workaround.
  3. After the upgrade, ask your developer to confirm the new version is live by checking the package version in your project.
  4. Consider setting up automated alerts for future dependency vulnerabilities so issues like this are caught earlier.

Next.js Uncontrolled Recursion in Image Optimization (CVE-2024-47831)

medium severity CVSS 5.9

Vulnerability Explanation

The built-in image optimization pipeline in Next.js (the `/_next/image` endpoint) contains an uncontrolled recursion flaw (CWE-674). When image optimization is enabled with default settings, a remote attacker can send crafted requests to the image optimization endpoint that trigger excessive, uncontrolled recursion within the image processing logic. This causes the server's CPU to spike to near-100%, starving legitimate requests and producing a Denial of Service condition. The attack requires no authentication and has low complexity, but it is not automatable in a trivial way according to CISA's SSVC assessment.

Root Cause

The image optimization feature did not properly bound the amount of recursion that could occur during image processing. Without a recursion depth limit or adequate resource guard, a specially crafted request could cause the processor to recurse indefinitely, exhausting CPU resources (CWE-674: Uncontrolled Recursion).

Technical Impact

An unauthenticated remote attacker can cause excessive CPU consumption on the Next.js server, rendering the application slow or completely unresponsive. No data exfiltration or code execution is possible — impact is limited to availability.

Severity Justification

CVSS 5.9 (Medium) — network-accessible, no authentication required, low attack complexity, but impact is limited to availability only (no confidentiality or integrity impact). CISA rates exploitation as non-automatable with partial technical impact.

Affected Components

  • next >= 10.0.0, < 14.2.7

Remediation Steps

  1. Upgrade the `next` package to version 14.2.7 or later: `npm install next@latest` (or pin to `14.2.7` if you cannot move to the latest). This is the primary and recommended fix.
  2. If an immediate upgrade is not feasible, apply the workaround in `next.config.js` by setting `images.unoptimized: true` or assigning a custom `images.loader` / `images.loaderFile`. This disables the vulnerable built-in optimizer.
  3. After upgrading, run your test suite and verify the application starts correctly, as major version jumps (e.g., 12.x → 14.x) may require addressing breaking changes.
  4. Deploy the updated build to production and confirm the running version via `npm list next` or by inspecting the `X-Powered-By` response header (if enabled).

Verification Steps

  1. Run `npm list next` in the project root and confirm the version is 14.2.7 or higher.
  2. Send a request to your image optimization endpoint (e.g., `curl -I 'https://yourdomain.com/_next/image?url=%2Fsome-image.jpg&w=800&q=75'`) and verify the server responds normally without CPU spikes.
  3. Check your deployment pipeline or CI output to confirm the correct version of `next` was installed in the production build.

Code Examples (javascript)

Vulnerable
// next.config.js — default config with no image settings (vulnerable)
module.exports = {
  // No images config — built-in optimizer is active
};
Fixed
// Option A: Upgrade next to 14.2.7+ (preferred fix)
// package.json
{
  "dependencies": {
    "next": "^14.2.7"
  }
}

// Option B: Workaround — disable built-in image optimizer in next.config.js
module.exports = {
  images: {
    unoptimized: true,  // Disables the vulnerable built-in optimizer
  },
};

Best Practices

  • Pin your `next` dependency to a specific minor version range (e.g., `^14.2.7`) and use a tool like Dependabot or Renovate to receive automated PRs for security patches.
  • Restrict access to the `/_next/image` endpoint at the CDN or reverse-proxy layer with rate limiting to reduce the blast radius of any future DoS-class vulnerabilities.
  • Run `npm audit` (or `pnpm audit`) as part of your CI pipeline to catch known vulnerabilities before they reach production.
  • When upgrading across major Next.js versions, consult the official migration guide to avoid runtime regressions.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base