CVE-2025-55173

Medium CVSS: 4.3

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.

Vendor

Vercel

Product

Next.js

CWE

CWE-20

Yayın Tarihi

2025-08-29 22:15:31

Güncelleme

2025-09-08 16:42:57

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-20 Next.js MEDIUM Vercel 2025

Referanslar

https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v https://vercel.com/changelog/cve-2025-55173

Benzer Kayıtlar

Medium

CVE-2026-29057

Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 1…

Medium

CVE-2026-27979

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1…

Medium

CVE-2026-27980

Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 1…

Medium

CVE-2026-27978

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1…

Low

CVE-2026-27977

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1…

Medium

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in min…