Patch next.js to 15.5.11 to fix:
- CVE-2025-59471 (Dependabot #140 / GHSA-9g9p-9gw9-jx7f): DoS via Image Optimizer remotePatterns — attacker could cause OOM by requesting optimization of arbitrarily large images. Patched
in 15.5.10+. - CVE-2025-59472 (SNYK-JS-NEXT-15105315 / Discussion #89139): Resource allocation without limits or throttling. 15.5.11 includes the LRU cache fix preventing unbounded growth.