En

CVE-2025-59471和CVE-2025-59472漏洞摘要

来源: Vercel News

原文

Two medium-severity denial-of-service vulnerabilities were discovered in self-hosted Next.js applications. Both issues can cause server crashes through memory exhaustion under specific configurations. No data exposure or privilege escalation is possible. 

Applications hosted on Vercel’s platform are not affected by these issues, and require no customer action.

Summary

CVE-2025-59471 (CVSS 5.9) affects the Image Optimizer when external image optimization is enabled via remotePatterns. The /_next/image endpoint loads remote images fully into memory without enforcing a maximum size, allowing an attacker to trigger out-of-memory conditions using very large images hosted on an allowed domain.

CVE-2025-59472 (CVSS 5.9) affects applications with Partial Pre-Rendering (PPR) enabled in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests and processes attacker-controlled data, allowing memory exhaustion through unbounded request buffering or decompression.

Affected Versions

CVE-2025-59471

  • Next.js versions >=10 through <15.5.10

  • Next.js versions >=16 through <16.1.5

CVE-2025-59472

  • Next.js versions >=15 through <15.6.0-canary.61

  • Next.js versions >=16 through <16.1.5

Impact

Both vulnerabilities can cause the Node.js process to terminate due to memory exhaustion, resulting in application downtime.

CVE-2025-59471 requires external image optimization to be enabled and the attacker to control a large image hosted on an allowed domain.

CVE-2025-59472 only affects applications running with the experimental.ppr: true or cacheComponents: true configuration options and NEXT_PRIVATE_MINIMAL_MODE=1 as an environment variable.

Resolution

Fixed in:

  • 15.5.10

  • 15.6.0-canary.61

  • 16.1.5

  • 16.2.0-canary.9

Workaround:

For self-hosted deployments unable to upgrade immediately:

  • Restrict or remove untrusted remotePatterns

  • Disable Partial Pre-Rendering or minimal mode

  • Apply strict request size limits at the reverse proxy layer

Credit

We thank Andrew MacPherson for their responsible disclosure through our bug bounty program.

References

Read more