CVE-2025-55173: 
ASP.NET Core vulnerability analysis and mitigation

Next.js, a React framework for building full-stack web applications, disclosed a content injection vulnerability (CVE-2025-55173) affecting versions before 14.2.31 and from 15.0.0 to before 15.4.5. The vulnerability was discovered on August 29, 2025, and allows attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations (NVD, Vercel Changelog).

The vulnerability has a CVSS v3.1 base score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The root cause was identified in the fetchInternalImage function within packages/next/src/server/image-optimizer.ts, where request headers were being improperly forwarded to internal resources. The issue specifically affects configurations using images.domains or images.remotePatterns (GitHub Advisory, GitHub Commit).

When exploited, the vulnerability allows attackers to trigger file downloads with arbitrary content and filenames, potentially enabling phishing attacks or malicious file delivery. The impact is particularly significant for applications that have external image domains or patterns configured and where the remote server is attacker-controlled or attacker-influenced (Vercel Changelog).

The vulnerability has been patched in Next.js versions 14.2.31 and 15.4.5. The fix involves updating the image optimizer logic to prevent falling back to upstream Content-Type headers when magic number detection fails. Vercel-hosted deployments were automatically protected by a patch applied on July 29th, 2025. Organizations running self-hosted deployments should upgrade to the patched versions and verify that external image sources are strictly validated (Vercel Changelog).