Listen to this Post
How the CVE Works:
The vulnerability resides in the Image Optimization API (/_next/image) of self-hosted Next.js applications. When the `remotePatterns` configuration in `next.config.js` allows fetching images from external domains, the optimizer retrieves the entire remote image file into server memory before processing. This mechanism lacks a mandatory size limit check. An attacker who controls a server on an allowed domain can host an arbitrarily large image file (e.g., several gigabytes). By repeatedly requesting the Next.js server to optimize this oversized image via its public endpoint, the attacker can cause the application to allocate massive amounts of memory. This leads to out-of-memory (OOM) conditions, exhausting the host’s resources, crashing the Node.js process, and resulting in a full Denial-of-Service for the application. The attack is contingent on the `remotePatterns` being permissively configured.
dailycve form:
Platform: Next.js
Version: 10.0.0-15.5.9
Vulnerability: Memory Exhaustion DoS
Severity: Moderate
date: 2026-01-26
Prediction: Patch released 2026-01-27
What Undercode Say:
Simulating a malicious image host dd if=/dev/zero of=large.jpg bs=1G count=5 Curl request to trigger the vulnerability curl "https://target-app.com/_next/image?url=https://attacker.com/large.jpg&w=1080&q=75"
// Example of an insecure next.config.js enabling the vulnerability
module.exports = {
images: {
remotePatterns: [
{
protocol: 'https',
hostname: '', // Overly permissive pattern
pathname: '/',
},
],
},
}
How Exploit:
1. Identify target with permissive `remotePatterns`.
- Host a multi-gigabyte image on an allowed domain.
3. Send repeated optimization requests to `/_next/image`.
4. Target server memory fills, causing OOM crash.
Protection from this CVE:
Upgrade to Next.js 15.5.10 or 16.1.5.
Restrict `remotePatterns` hostname strictly.
Implement external CDN for images.
Use resource limits (e.g., cgroups, container memory).
Impact:
Application Denial-of-Service.
Resource exhaustion crashes.
Availability loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

