PT-2025-35326 · Vercel · Next.Js
Kristianmagas
·
Published
2025-08-29
·
Updated
2025-08-31
·
CVE-2025-55173
CVSS v3.1
4.3
4.3
Medium
| Base vector | Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Next.js versions prior to 14.2.31
Next.js versions 15.0.0 through 15.4.5
Description:
Next.js Image Optimization is susceptible to content injection. Attackers controlling external image sources can trigger file downloads with arbitrary content and filenames under specific configurations. This could be exploited for phishing or malicious file delivery.
Recommendations:
Upgrade to Next.js version 14.2.31 or later.
Upgrade to Next.js version 15.4.5 or later.
Verify that external image sources are strictly validated.
Fix
RCE
Weakness Enumeration
Related Identifiers
CVE-2025-55173
GHSA-XV57-4MR9-WG8V
Affected Products
Next.Js
References · 12
- https://osv.dev/vulnerability/GHSA-xv57-4mr9-wg8v · Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-55173 · Security Note
- https://github.com/vercel/next.js⭐ 134083 🔗 29181 · Note
- https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v⭐ 134082 🔗 29180 · Note
- https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd⭐ 134082 🔗 29180 · Note
- https://twitter.com/Cloudforce_One/status/1961551405116002497 · Twitter Post
- https://vercel.com/changelog/cve-2025-55173 · Note
- https://twitter.com/CFchangelog/status/1962282000208814289 · Twitter Post
- https://t.me/CVEtracker/31291 · Telegram Post
- http://vercel.com/changelog/cve-2025-55173 · Note
- https://twitter.com/CVEnew/status/1961553068794757500 · Twitter Post
- https://twitter.com/VulmonFeeds/status/1961638431001366864 · Twitter Post