Two medium-severity denial-of-service vulnerabilities were discovered in self-hosted Next.js applications. Both issues can cause server crashes through memory exhaustion under specific configurations. No data exposure or privilege escalation is possible.  Applications hosted on Vercel’s platform are not affected by these issues, and require no customer action. Link to heading Summary CVE-2025-59471 (CVSS 5.9) affects the Image Optimizer when external image optimization is enabled via remotePatterns . The /_next/image endpoint loads remote images fully into memory without enforcing a maximum size, allowing an attacker to trigger out-of-memory conditions using very large images hosted on an allowed domain. CVE-2025-59472 (CVSS 5.9) affects applications with Partial Pre-Rendering (PPR) enabled in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests and processes attacker-controlled data, allowing memory exhaustion through unbounded request buffering or decompression.…