By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-59471

Denial of Service
Affects
>=10.0.0 <15.5.10, >=15.6.0-canary.0 <16.1.5
in
Next.js
No items found.
Versions
NES for Next.js
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Next.js is a React framework that provides server-side rendering, routing, and production tooling for web applications. The next/server component includes an image optimization pipeline used by next/image to fetch and optimize remote images at runtime.

A medium-severity Denial of Service (DoS) vulnerability, CVE-2025-59471, exists in Next.js v12 when the image optimizer fetches remote images without enforcing a maximum response size. Attackers could supply or host oversized images that cause excessive memory usage and service instability causing the application to crash or become unresponsive due to memory exhaustion, resulting in a Denial of Service for intended users.

Per OWASP: A Denial of Service (DoS) attack is an attack where attackers attempt to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.

Details

Module Info

Vulnerability Info

This vulnerability affects the next/image remote fetch path in v12. The optimizer downloaded remote images without a built-in maximum size, so a large upstream response could be fully buffered in memory.

The risk is twofold:

  • missing maximum size enforcement allowed arbitrarily large payloads
  • absence of an early header check meant large responses were buffered before rejection

An attacker could exploit this by hosting an oversized image or proxying large responses, triggering high memory usage and degrading availability. 

Mitigation

Next.js version 12 is End-of-Life and will not receive any updates to address this issue. For more information see the Next.js Support Policy.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to a fixed version of Next.js.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2024-47831
CVE-2024-51479
CVE-2025-29927
CVE-2023-46298
CVE-2025-32421
CVE-2025-55173
CVE-2025-57752
CVE-2025-59471
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-59471
PROJECT Affected
>=10.0.0 <15.5.10, >=15.6.0-canary.0 <16.1.5
Versions Affected
NES for Next.js
NES Versions Affected
Published date
February 13, 2026
≈ Fix date
February 12, 2026
Fixed in
NES for Next.js
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
NES for Next.js
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.