Platform
nodejs
Component
next
Opgelost in
15.0.1
14.2.32
14.2.31
CVE-2025-55173 affects Next.js Image Optimization, allowing attackers to trigger file downloads with arbitrary content and filenames. This vulnerability arises from improper validation of external image sources within specific configurations. Affected versions include those prior to v15.4.5 and v14.2.31. Users are strongly encouraged to upgrade to a patched version to mitigate the risk.
The primary impact of CVE-2025-55173 is the potential for attackers to deliver malicious files to users through seemingly legitimate image requests. By manipulating external image sources, an attacker can craft requests that trigger the download of arbitrary files, effectively bypassing standard security controls. This could be leveraged for phishing attacks, where users are tricked into downloading malware disguised as harmless files. The blast radius extends to any user relying on images.domains or images.remotePatterns configurations, as these are the specific areas vulnerable to this exploitation. The attacker could potentially compromise user systems by delivering payloads through this mechanism.
CVE-2025-55173 was publicly disclosed on August 29, 2025. There is currently no known public proof-of-concept (POC) available, but the vulnerability's nature suggests a relatively low barrier to entry for exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. Active campaigns are not currently confirmed, but the potential for abuse warrants vigilance.
Applications utilizing Next.js Image Optimization with configurations that allow external image sources via images.domains or images.remotePatterns are at risk. This includes projects relying on dynamic image loading and those integrating with third-party image hosting services without proper validation. Shared hosting environments where Next.js configurations are not tightly controlled are also particularly vulnerable.
• nodejs / server:
npm list next@>=14.0.0 <14.2.31• nodejs / server:
grep -r 'images.domains' ./next.config.js
grep -r 'images.remotePatterns' ./next.config.js• generic web:
Inspect next.config.js for configurations using images.domains or images.remotePatterns allowing external image sources.
disclosure
Exploit Status
EPSS
0.19% (41% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-55173 is to upgrade Next.js Image Optimization to version 15.4.5 or later, or to version 14.2.31. If upgrading is not immediately feasible, carefully review and restrict the images.domains and images.remotePatterns configurations. Implement strict validation of external image sources to ensure they originate from trusted domains. Consider using a Web Application Firewall (WAF) to filter requests and block those attempting to exploit this vulnerability. After upgrade, confirm by attempting to load an image from an untrusted domain and verifying that the download is blocked.
Actualice Next.js a la versión 14.2.31 o superior, o a la versión 15.4.5 o superior. Esto corrige la vulnerabilidad de inyección de contenido en la optimización de imágenes. La actualización se puede realizar mediante el gestor de paquetes npm o yarn.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-55173 is a vulnerability in Next.js Image Optimization allowing attackers to trigger file downloads with arbitrary content through manipulated external image sources. It affects versions prior to v15.4.5 and v14.2.31.
You are affected if you are using Next.js Image Optimization versions prior to v15.4.5 or v14.2.31 and have configured images.domains or images.remotePatterns to allow external image sources.
Upgrade Next.js Image Optimization to version 15.4.5 or later, or to version 14.2.31. Review and restrict images.domains and images.remotePatterns configurations.
Active exploitation is not currently confirmed, but the vulnerability's nature suggests a potential for abuse and warrants vigilance.
You can find the official advisory at [Vercel Changelog](https://vercel.com/changelog/cve-2025-55173)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.