Yesterday's Top Poster

CVE-2025-55173

  • Thread starter Thread starter Aaron Brown, Steven Salat, Zack Tanner
  • Start date Start date

Summary​


A vulnerability affecting Next.js Image Optimization has been addressed. It impacted versions prior to v15.4.5 and v14.2.31, and involved a scenario where attacker-controlled external image servers could serve crafted responses that result in arbitrary file downloads with attacker-defined filenames and content.

A patch applied on July 29th, 2025 eliminated exposure for Vercel customers running the affected versions.

Impact​


Under certain configurations (images.domains or permissive images.remotePatterns), a malicious actor could:


  • Trigger the download of a file from a Next.js app with attacker-controlled content and filename


  • Exploit this behavior for phishing, drive-by downloads, or social engineering scenarios

This issue requires that:


  • The target app has external image domains or patterns configured


  • The remote server is attacker-controlled or attacker-influenced


  • A user is tricked into clicking a crafted URL

Resolution​


The issue was resolved by updating the image optimizer logic to avoid falling back to the upstream’s Content-Type header when magic number detection fails. This ensures that responses are only cached when confidently identified as image content and do not mistakenly reuse cache keys for user-specific responses.

The fix was included in:


  • Next.js v15.4.5


  • Next.js v14.2.31

Credit​


Thanks to kristianmagas for the responsible disclosure.

References​



Read more

Continue reading...
 
Back
Top