CVE-2025-55173
BaseFortify
Publication date: 2025-08-29
Last updated on: 2025-09-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vercel | next.js | to 14.2.31 (exc) |
| vercel | next.js | From 15.0.0 (inc) to 15.4.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Next.js Image Optimization allows attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. Essentially, an attacker can inject content by making the application download files that the attacker controls, which can be used for malicious purposes such as phishing or delivering harmful files.
How can this vulnerability impact me? :
The vulnerability can be abused to deliver malicious files or conduct phishing attacks by tricking users into downloading harmful content with attacker-controlled filenames. This can lead to security risks such as malware infection or social engineering attacks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Next.js to version 14.2.31 or later if you are on the 14.x branch, or to version 15.4.5 or later if you are on the 15.x branch. Avoid using vulnerable versions before these fixed releases to prevent exploitation of the content injection issue.