VulWall Team March 19, 2026 4 min read

Next.js Image Feature Can Be Abused to Take Your Website Offline

Your website uses a feature in Next.js that automatically resizes and optimises images. A flaw in versions before 15.5.10 means an attacker could point this feature at an extremely large image and force your server to run out of memory — crashing your site. The attacker needs to be able to host or control a large image on a domain your site is already configured to trust.

OWASP A05 Effort: small Exploitable
dos memory-exhaustion nextjs image-optimizer cve cve-2025-59471 remote-patterns availability

Business Impact And Actions

high urgency

Business Impact

If exploited, your website could become completely unavailable to customers until the server is restarted. Repeated attacks could cause sustained downtime, affecting revenue, customer trust, and — if you operate under any uptime SLAs or compliance frameworks — potential contractual or regulatory exposure. The attack requires a specific configuration to be in place (external image optimisation enabled), so not every Next.js site is affected.

What To Do

  1. Ask your developer to check whether your Next.js version is below 15.5.10 and whether 'remotePatterns' is configured in your image settings — this takes about 10 minutes.
  2. If both conditions are true, ask your developer to upgrade Next.js to version 15.5.10 or later. This is a standard package update and should take under an hour for most projects.
  3. If an immediate upgrade is not possible, ask your developer to tighten the list of allowed image domains to only those you fully control — this reduces the window of opportunity for an attacker.
  4. After the upgrade, ask your developer to confirm the fix by checking the installed Next.js version in your project.

Next.js Image Optimizer DoS via Unbounded Memory Allocation in remotePatterns (CVE-2025-59471)

medium severity CVSS 5.9

Vulnerability Explanation

The Next.js built-in Image Optimisation endpoint (`/_next/image`) fetches remote images and processes them in memory before serving an optimised version to the client. In affected versions, there is no enforced maximum size limit on the remote image fetched. An attacker who can host or control a sufficiently large image on any domain permitted by the application's `remotePatterns` configuration can trigger repeated optimisation requests, causing the Node.js process to exhaust available memory and crash. The attack is network-accessible and requires no authentication — only the ability to serve a large file from an allowed hostname.

Root Cause

The image optimisation pipeline loads the full remote image payload into memory before processing, with no upper bound on the response body size. This is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The missing guard means that resource consumption is entirely controlled by the content of the remote server, not by the application itself.

Technical Impact

An unauthenticated attacker can cause the Node.js server process to terminate due to out-of-memory conditions, resulting in a full denial of service. Recovery requires a process restart. Repeated requests can sustain the outage. There is no data exfiltration or code execution risk — the impact is limited to availability.

Severity Justification

CVSS 5.9 (Moderate) per the official GitHub Security Advisory (GHSA-9g9p-9gw9-jx7f). Network-accessible with no authentication required, but exploitation is conditional: the attacker must be able to serve a large image from a domain already trusted in remotePatterns, limiting the realistic attacker pool.

Affected Components

  • next >= 10.0.0, < 15.5.10
  • next >= 15.6.0-canary.0, < 16.1.5

Remediation Steps

  1. Upgrade Next.js to 15.5.10 (stable) or 16.1.5 (canary track): `npm install next@15.5.10` or `npm install next@16.1.5`. This is the primary and recommended fix.
  2. If an immediate upgrade is blocked, tighten `remotePatterns` in `next.config.js` to the narrowest possible scope — use exact hostnames and specific `pathname` prefixes rather than wildcards. Avoid patterns like `hostname: '**.example.com'` unless strictly necessary.
  3. If you cannot upgrade and need a short-term workaround, consider routing image optimisation through an external CDN (e.g. Cloudflare Images, Imgix, Cloudinary) using a custom `loaderFile`. This offloads the memory-intensive processing away from your Node.js server.
  4. After upgrading, verify the installed version and redeploy. Confirm the `/_next/image` endpoint is served by the patched build.

Verification Steps

  1. Run `npm list next` or `cat node_modules/next/package.json | grep '"version"'` to confirm the installed version is 15.5.10 or later.
  2. Make a test request to `/_next/image?url=<allowed-url>&w=800&q=75` and confirm it returns a valid optimised image without errors.
  3. Review `next.config.js` to confirm `remotePatterns` entries use specific hostnames and pathnames rather than broad wildcards.

Code Examples (javascript)

Vulnerable
// next.config.js — vulnerable: broad wildcard remotePatterns, Next.js < 15.5.10
module.exports = {
  images: {
    remotePatterns: [
      {
        protocol: 'https',
        hostname: '**.example.com', // overly broad
      },
    ],
  },
};
Fixed
// next.config.js — fixed: upgrade Next.js AND narrow remotePatterns
// 1. Upgrade: npm install next@15.5.10
// 2. Tighten remotePatterns to specific paths
module.exports = {
  images: {
    remotePatterns: [
      {
        protocol: 'https',
        hostname: 'assets.example.com',  // exact hostname
        pathname: '/uploads/**',          // specific path prefix
      },
    ],
  },
};

Best Practices

  • Pin `remotePatterns` to the narrowest hostname and pathname scope your application actually needs — avoid wildcards unless required.
  • Set up automated dependency update tooling (e.g. Dependabot or Renovate) to receive Next.js security patches promptly.
  • Place a reverse proxy (e.g. Nginx, Cloudflare) in front of your Node.js server with request rate limiting on `/_next/image` to reduce the blast radius of resource-exhaustion attacks.
  • Consider offloading image optimisation to a dedicated external service (Cloudflare Images, Imgix, Cloudinary) for production workloads — this removes the attack surface from your application server entirely.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base