Two medium-severity denial-of-service vulnerabilities were discovered in self-hosted Next.js applications. Both issues can cause server crashes through memory exhaustion under specific configurations. No data exposure or privilege escalation is possible. Applications hosted on Vercel’s platform are not affected by these issues, and require no customer action. (CVSS 5.9) affects the Image Optimizer when external image optimization is enabled via . The endpoint loads remote images fully into memory without enforcing a maximum size, allowing an attacker to trigger out-of-memory conditions using very large images hosted on an allowed domain.CVE-2025-59471remotePatterns/_next/image (CVSS 5.9) affects applications with Partial Pre-Rendering (PPR) enabled in minimal mode.

The PPR resume endpoint accepts unauthenticated POST requests and processes attacker-controlled data, allowing memory exhaustion through unbounded request buffering or decompression.CVE-2025-59472 CVE-2025-59471 CVE-2025-59472 Both vulnerabilities can cause the Node.js process to terminate due to memory exhaustion, resulting in application downtime. requires external image optimization to be enabled and the attacker to…