Two New Next.js Vulnerabilities: Content Injection and Cache Deception in the Image Optimizer
Two medium-severity CVEs in Next.js Image Optimization exposed user data and cache leaks — HeroDevs’ NES for Next.js patches both, keeping EOL versions secure without refactoring.
.png)
HeroDevs has patched two medium-severity vulnerabilities affecting the Next.js v12 Image Optimization feature. Both issues expose applications to potential user data risks and untrusted content injection under common configurations.
These vulnerabilities have been remediated in NES for Next.js, ensuring that even end-of-life versions of the framework remain secure.
CVE-2025-55173: Content Injection in Next.js Image Optimizer
Severity: Medium
Affected Versions: <14.2.31, >=15.0.0 <15.4.5
Fixed In: NES for Next.js — October 3, 2025
This vulnerability stems from improper content type validation in the Image Optimization service. When Next.js fails to identify the content type using file signatures, it falls back to trusting upstream Content-Type headers.
Under certain configurations (images.domains or permissive images.remotePatterns), attackers can host malicious files on external servers and manipulate the response headers to bypass validation, leading to the possibility of arbitrary file downloads under trusted domains.
Potential impact:
- Phishing and social engineering opportunities using spoofed content
- Drive-by downloads of attacker-controlled files
- Misleading or defaced content rendered under trusted URLs
Remediation:
Upgrade to the latest version of Next.js, or apply NES for Next.js, which includes a secure validation patch that eliminates reliance on untrusted upstream headers.
CVE-2025-57752: Cache Deception in Next.js Image Optimizer
Severity: Medium
Affected Versions: >=12.0.0 <14.2.31, >=15.0.0 <15.4.5
Fixed In: NES for Next.js — October 3, 2025
This issue arises from a mismatch between how Next.js caches optimized images and how it fetches them. Cached entries are keyed using image parameters such as URL and quality but ignore user-specific headers like cookies or authorization tokens.
When authenticated users trigger image optimizations, their personalized content can populate a shared cache, allowing unauthorized users to later access that same content without valid credentials.
Potential impact:
- Exposure of sensitive or user-specific images
- Authorization bypass and potential data leakage through shared caches
Remediation:
The patch included in NES for Next.js enforces cache key segregation, preventing authenticated responses from being shared across users.
Why These Issues Matter
Both vulnerabilities highlight how modern frameworks—especially those optimizing user content dynamically—can inadvertently blend performance features with sensitive data paths.
Without consistent patching, organizations relying on EOL or frozen versions of Next.js remain at risk. NES for Next.js delivers secure, fully maintained builds so teams can continue running stable, patched frameworks without disruption or refactoring.
How HeroDevs Can Help
HeroDevs provides Never-Ending Support (NES) for critical open-source frameworks like Next.js, Angular, Spring, and Struts. Our NES program delivers security fixes, dependency updates, and CVE remediation beyond official vendor support lifecycles.
To learn more about securing your applications with NES for Next.js, contact us or visit our pricing page.
.png)
.png)
.png)