Next.js Denial-of-Service Vulnerability in Image Optimization API

A denial-of-service vulnerability has been identified in Next.js versions 10.0.0 prior to 15.5.16 and 16.0.0 prior to 16.2.5. When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images into memory without a maximum size limit. This allows an attacker to cause out-of-memory conditions by requesting large local assets from the '/_next/image' endpoint that match the 'images.localPatterns' configuration, which by default allows all patterns. Users on Vercel or those using 'images.unoptimized: true' or 'images.loader: custom' are not impacted.

Impact

Exploitation of this vulnerability can lead to out-of-memory conditions, causing the application to exhaust available process memory and potentially crash.

Remediation

Users can upgrade to Next.js versions 15.5.16 or 16.2.5 to address this vulnerability. If an immediate upgrade is not possible, large local assets should be routed away from the '/_next/image' endpoint, image optimization for large or untrusted local files should be disabled, or access to those assets should be blocked at the edge. The 'images.localPatterns' configuration can be set to an empty array to disable optimization for local files, while still allowing remote images.