CVE-2025-55173 — Next.js Content Injection Vulnerability for Image Optimization

Description

A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. All users relying on `images.domains` or `images.remotePatterns` are encouraged to upgrade and verify that external image sources are strictly validated. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-55173)

How to fix CVE-2025-55173

To remediate CVE-2025-55173, upgrade the affected package to a fixed version below.

—upgrade to 14.2.31 or later

Is CVE-2025-55173 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 0.9.9, < 14.2.31

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-55173
PATCHgithub.com/vercel/next.js
WEBgithub.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
WEBgithub.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v