CVE-2025-55173
MEDIUM4.3EPSS 0.69%Next.js Content Injection Vulnerability for Image Optimization
發布日:2025/8/29修改日:2026/2/4
描述
A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. All users relying on `images.domains` or `images.remotePatterns` are encouraged to upgrade and verify that external image sources are strictly validated. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-55173)
受影響套件(1)
- npm/next>= 0.9.9, < 14.2.31
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-55173
- PATCHhttps://github.com/vercel/next.js
- WEBhttps://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
- WEBhttps://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v
- WEBhttps://vercel.com/changelog/cve-2025-55173
- WEBhttp://vercel.com/changelog/cve-2025-55173