CVE-2025-55173

MEDIUM4.3EPSS 0.69%

Next.js Content Injection Vulnerability for Image Optimization

Published: 8/29/2025Modified: 2/4/2026

Also known as:GHSA-xv57-4mr9-wg8vCGA-ff6x-f9mf-5q64

Description

A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. All users relying on `images.domains` or `images.remotePatterns` are encouraged to upgrade and verify that external image sources are strictly validated. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-55173)

Affected packages (1)

npm/next>= 0.9.9, < 14.2.31

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-55173
PATCHhttps://github.com/vercel/next.js
WEBhttps://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
WEBhttps://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v
WEBhttps://vercel.com/changelog/cve-2025-55173
WEBhttp://vercel.com/changelog/cve-2025-55173