GHSA-xv57-4mr9-wg8v

Source

https://github.com/advisories/GHSA-xv57-4mr9-wg8v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-xv57-4mr9-wg8v/GHSA-xv57-4mr9-wg8v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xv57-4mr9-wg8v

Aliases

CVE-2025-55173

Published

2025-08-29T21:59:55Z

Modified

2025-08-29T22:27:24.529824Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Next.js Content Injection Vulnerability for Image Optimization

Details

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-29T21:59:55Z",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE"
}

References

Affected packages

npm / next

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

14.2.31

npm / next

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.0.0

Fixed

15.4.5

Database specific

{
    "last_known_affected_version_range": "<= 15.4.4"
}