MEDIUM · CVSS 5.9
CVE-2024-47831 — Next.js image optimization DoS
An unauthenticated attacker could exhaust CPU by requesting the image-optimization endpoint with crafted remote URLs that forced expensive decode + re-encode cycles on the Next.js server.
Affects
- Next.js 10.0.0 through 14.2.6
What an attacker does
The attacker pipes a large image (or many small ones) through `/_next/image?url=...` at concurrency. Each request consumes CPU on the server; legitimate users see elevated latency and eventual timeouts.
How to detect
Check your Next.js version and confirm your `images.remotePatterns` is restrictive.
How to fix
Upgrade Next.js to 14.2.7+ or 15.x. Additionally: restrict `images.remotePatterns` in next.config.mjs to hosts you control.
How Securie catches it
Securie flags permissive remotePatterns configs.