CVE-2025-55173
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2025-09-08

Assigner: GitHub, Inc.

Description
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2025-09-08
Generated
2026-06-16
AI Q&A
2025-08-30
EPSS Evaluated
2026-06-14
NVD
CVE-2025-55173
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vercel next.js to 14.2.31 (exc)
vercel next.js From 15.0.0 (inc) to 15.4.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Next.js Image Optimization allows attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. Essentially, an attacker can inject content by making the application download files that the attacker controls, which can be used for malicious purposes such as phishing or delivering harmful files.

Impact Analysis

The vulnerability can be abused to deliver malicious files or conduct phishing attacks by tricking users into downloading harmful content with attacker-controlled filenames. This can lead to security risks such as malware infection or social engineering attacks.

Mitigation Strategies

To mitigate this vulnerability, upgrade Next.js to version 14.2.31 or later if you are on the 14.x branch, or to version 15.4.5 or later if you are on the 15.x branch. Avoid using vulnerable versions before these fixed releases to prevent exploitation of the content injection issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart