Denial of Service condition in Next.js image optimization

GHSA-g77x-44xx-532m · CVE-2024-47831

Published Oct 14, 2024 · Modified Feb 4, 2026

Description

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

References

WEB https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-47831
WEB https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a
PACKAGE https://github.com/vercel/next.js

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes