Denial Of Service (DoS)

Next.js is vulnerable to Denial Of Service DoS. The vulnerability is due to the image optimization endpoint loading external images into memory without enforcing a maximum size limit, which allows an attacker to request optimization of arbitrarily large images and trigger out-of-memory conditions...

Allocation of Resources Without Limits or Throttling

Overview next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the fetchExternalImage function, which is used for image optimization and loads external images into memory without a maximum size limit. An attacker ca...

PT-2026-4816

Name of the Vulnerable Software and Affected Versions Next.js versions prior to 15.5.10 Next.js versions prior to 16.1.5 Description A denial of service issue exists in self-hosted Next.js applications utilizing the Image Optimizer with configured remotePatterns. The image optimization endpoint /...

Next.js security vulnerabilities

Next.js is a React framework open source by Vercel. There is a security vulnerability in Next.js, which stems from the image optimization endpoint not enforcing a maximum size limit. This could lead to memory exhaustion and denial of service...

CVE-2022-0969

The Image optimization & Lazy Load by Optimole WordPress plugin before 3.3.2 does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfilteredhtml capability i...

Security Bulletin: Multiple Vulnerabilities in IBM Event Processing

Summary IBM Event Processing was affected by multiple vulnerabilities. These are affecting the operator and frontend components. Vulnerability Details CVEID:CVE-2025-57752 DESCRIPTION: Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0....

Security Bulletin: Components with known vulnerabilities in IBM Security QRadar Analyst Workflow for IBM QRadar SIEM

Summary Multiple components with known vulnerabilities were addressed in a IBM Security QRadar Analyst Workflow for IBM QRadar SIEM release Vulnerability Details CVEID:CVE-2025-64756 DESCRIPTION: Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions...

CVE-2025-12190

CVE-2025-12190 affects the WordPress plugin Image Optimizer by wps.sk (versions ≤ 1.2.0) with CSRF due to missing nonce validation in imagopby_ajax_optimize_gallery(). Multiple connected sources confirm the CSRF flaw and impacted plugin/version; however, no patch/version remediation is detailed i...

CVE-2025-12190 Image Optimizer by wps.sk <= 1.2.0 - Cross-Site Request Forgery to Bulk Image Optimization

The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the imagopbyajaxoptimizegallery function. This makes it possible for unauthenticated attackers to...

CVE-2025-12190 Image Optimizer by wps.sk <= 1.2.0 - Cross-Site Request Forgery to Bulk Image Optimization

The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the imagopbyajaxoptimizegallery function. This makes it possible for unauthenticated attackers to...

Security Bulletin: IBM Edge Data Collector uses next-15.3.1.tgz which is vulnerable to CVE-2025-55173, CVE-2025-57752.

Summary IBM Edge Data Collector uses next-15.3.1.tgz which is vulnerable to CVE-2025-55173, CVE-2025-57752. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-55173 DESCRIPTION: Next.js is a React framework for building full-stack...

CVE-2025-64757

Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote...

Relative Path Traversal

Overview @astrojs/cloudflare is a Deploy your site to Cloudflare Workers/Pages Affected versions of this package are vulnerable to Relative Path Traversal via the href parameter in the image optimization endpoint during development mode. An attacker can access arbitrary local image files readable...

Relative Path Traversal

Overview @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Relative Path Traversal via the href parameter in the image optimization endpoint during development mode. An attacker can access arbitrary local image files readable by the Node.j...

Relative Path Traversal

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Relative Path Traversal via the href parameter in the image optimization endpoint during development mode. An attacker can access...

Relative Path Traversal

Overview @astrojs/internal-helpers is an Internal helpers used by core Astro packages. Affected versions of this package are vulnerable to Relative Path Traversal via the href parameter in the image optimization endpoint during development mode. An attacker can access arbitrary local image files...

CVE-2025-64757

Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote...

CVE-2025-64757

Summary of CVE-2025-64757 (Astro) : The Astro development server’s image endpoint is vulnerable to arbitrary local file read via the href parameter in development mode, enabling an attacker to read image files accessible to the Node.js process. Affected: Astro v5.x development builds prior to 5.1...

CVE-2025-64757 Astro Development Server is Vulnerable to Arbitrary Local File Read

Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote...

CVE-2025-64757 Astro Development Server is Vulnerable to Arbitrary Local File Read

Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote...