## Next.js 16.1.7 Patches Critical DoS Vulnerability in Image Optimizer (CVE-2025-59471)
A critical Denial-of-Service (DoS) vulnerability has been patched in self-hosted Next.js applications, exposing a memory exhaustion attack vector through the framework's image optimization endpoint. The flaw, tracked as CVE-2025-59471, resides in the Image Optimizer component for applications configured with `remotePatterns`. The security advisory warns that the endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing a malicious actor to trigger out-of-memory conditions and crash the application.

The vulnerability specifically affects self-hosted deployments of the popular Next.js React framework by Vercel. The issue is present in versions prior to 16.1.7. The GitHub security advisory (GHSA-9g9p-9gw9-jx7f) details that an attacker can exploit this by sending requests for extremely large external images to the unprotected endpoint, consuming all available memory and causing a service disruption. This represents a significant risk for any production application relying on Next.js's built-in image optimization with external sources.

The patch, released in version 16.1.7, addresses the memory limit enforcement. The update is being distributed via automated dependency management tools like RenovateBot, which flags it as a high-priority security update. Developers and security teams must immediately upgrade their Next.js dependencies to version 16.1.7 or later to mitigate this DoS risk. Failure to patch leaves applications vulnerable to targeted attacks that could lead to sustained downtime and resource exhaustion.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2025-59471, Next.js, Vercel, Denial-of-Service, Security Patch
- **Credibility**: unverified
- **Published**: 2026-04-01 18:27:21
- **ID**: 45873
- **URL**: https://whisperx.ai/en/intel/45873