Home > Vulnerability Database > CVE-2025-55173

Mend.io Vulnerability Database

CVE-2025-55173

Good to know:

Date: August 29, 2025

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.

Severity Score

4.3

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-55173

Url: https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v

Url: https://github.com/vercel/next.js

Url: http://vercel.com/changelog/cve-2025-55173

Url: https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

Url: https://vercel.com/changelog/cve-2025-55173

Url: https://www.mend.io/vulnerability-database/CVE-2025-55173

Severity Score

4.3

Weakness Type (CWE)

Improper Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version next - 15.4.5;next - 14.2.31

Learn More

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-55173

Good to know:

Date: August 29, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?