CVE-2025-55173 – next

Package

Manager: npm
Name: next
Vulnerable Version: >=0 <14.2.31 || >=15.0.0 <15.4.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00044 pctl0.12914

Details

Next.js Content Injection Vulnerability for Image Optimization A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. All users relying on `images.domains` or `images.remotePatterns` are encouraged to upgrade and verify that external image sources are strictly validated. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-55173)

Metadata

Created: 2025-08-29T21:59:55Z
Modified: 2025-09-01T20:05:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-xv57-4mr9-wg8v/GHSA-xv57-4mr9-wg8v.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-xv57-4mr9-wg8v
Finding: F184
Auto approve: 1