CVE-2025-55173: 
ASP.NET Core vulnerability analysis and mitigation

Next.js, a React framework for building full-stack web applications, was found to contain a content injection vulnerability (CVE-2025-55173) in its Image Optimization feature. The vulnerability affects versions before 14.2.31 and versions 15.0.0 to 15.4.4. This security issue was disclosed on August 29, 2025, and has been assigned a CVSS v3.1 base score of 4.3 (Medium) (NVD, Miggo).

The vulnerability is classified as CWE-20 (Improper Input Validation) and has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The root cause was identified in the fetchInternalImage function within packages/next/src/server/image-optimizer.ts, where request headers were improperly forwarded from incoming requests to internal resources. The vulnerability specifically involved the forwarding of headers: _req.headers in the image optimization process (Miggo).

The vulnerability allows attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This could be exploited for phishing attacks or malicious file delivery, particularly affecting users who rely on images.domains or images.remotePatterns configurations (NVD, Miggo).

The vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. The fix involves removing the header forwarding functionality in the fetchInternalImage function. All users relying on images.domains or images.remotePatterns are strongly encouraged to upgrade to the patched versions and verify that external image sources are strictly validated (NVD).