Publish GHSA-9g9p-9gw9-jx7f

advisory-database[bot] · advisory-database[bot] · commit 67733956e0e1 · 2026-01-27T19:20:05.000Z
diff --git a/advisories/github-reviewed/2026/01/GHSA-9g9p-9gw9-jx7f/GHSA-9g9p-9gw9-jx7f.json b/advisories/github-reviewed/2026/01/GHSA-9g9p-9gw9-jx7f/GHSA-9g9p-9gw9-jx7f.json
@@ -0,0 +1,97 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9g9p-9gw9-jx7f",
+  "modified": "2026-01-27T19:18:25Z",
+  "published": "2026-01-27T19:18:25Z",
+  "aliases": [
+    "CVE-2025-59471"
+  ],
+  "summary": "Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration",
+  "details": "A DoS vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.\n\nStrongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.0.0"
+            },
+            {
+              "fixed": "15.5.10"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "15.6.0-canary.0"
+            },
+            {
+              "fixed": "16.1.5"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59471"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vercel/next.js"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/releases/tag/v15.5.10"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/releases/tag/v16.1.5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400",
+      "CWE-770"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-27T19:18:25Z",
+    "nvd_published_at": "2026-01-26T22:15:52Z"
+  }
+}
