Next.js Content Injection Vulnerability for Image Optimization

GHSA-xv57-4mr9-wg8v · CVE-2025-55173

Published Aug 29, 2025 · Modified Feb 4, 2026

Description

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

References

WEB https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-55173
WEB https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
PACKAGE https://github.com/vercel/next.js
WEB https://vercel.com/changelog/cve-2025-55173
WEB http://vercel.com/changelog/cve-2025-55173

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes