2392059 – (CVE-2025-55173) CVE-2025-55173 nextjs: Next.js Content Injection Vulnerability for Image Optimization

Bug 2392059 (CVE-2025-55173) - CVE-2025-55173 nextjs: Next.js Content Injection Vulnerability for Image Optimization

Summary: CVE-2025-55173 nextjs: Next.js Content Injection Vulnerability for Image Opti...

Keywords:
Status:	NEW
Alias:	CVE-2025-55173
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2392328 2392329 2392330 2392331 2392333 2392334 2392335 2392336 2392325 2392326 2392327 2392332
Blocks:
TreeView+	depends on / blocked

Reported:	2025-08-29 23:01 UTC by OSIDB Bzimport
Modified:	2025-09-09 11:27 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-08-29 23:01:10 UTC

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.

Note You need to log in before you can comment on or make changes to this bug.