By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-55173

Content Spoofing
Affects
Next.js
in
Next.js
No items found.
Versions
<14.2.31, >=15.0.0 <15.4.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Next.js is a React framework for building web applications.

CVE-2025-55173 is a vulnerability in the Image Optimization feature that affects applications with configured external image domains or patterns. The vulnerability allows malicious actors to exploit the image optimization service to trigger arbitrary file downloads with attacker-controlled content and filenames.

Under certain configurations (images.domains or permissive images.remotePatterns), an attacker could leverage crafted responses from external image servers to bypass content type validation, potentially leading to phishing attacks, drive-by downloads, or social engineering scenarios.

Per OWASP: Content spoofing, also referred to as content injection, “arbitrary text injection” or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain. This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust.

This issue affects all versions of Next.js less than 14.2.31 and 15.x versions less than 15.4.5.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in the Image Optimization feature of the Next.js framework in the affected versions.

The vulnerability stems from improper content type validation in the image optimization service. When detectContentType() fails to identify the content type through magic number detection, the vulnerable code falls back to trusting the upstream Content-Type header without proper validation:

An attacker can exploit this by:

  1. Configuring a malicious external image server that serves non-image content
  2. Setting crafted Content-Type headers that bypass image validation
  3. Triggering the download of arbitrary files with attacker-controlled content and filenames
  4. Potentially using this for phishing, drive-by downloads, or social engineering attacks

The vulnerability requires that the target application has external image domains or patterns configured via images.domains or images.remotePatterns.

Mitigation

Next.js v13 and older versions have reached End-of-Life and will not receive any updates to address this issue.

Users of the affected components should apply one of the following mitigations:’

  • Migrate to the latest version of Next.js
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

Pink arrow
Pink arrow
CVE-2024-47831
CVE-2024-51479
CVE-2025-29927
CVE-2023-46298
CVE-2025-32421
CVE-2025-55173
CVE-2025-57752
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-55173
PROJECT Affected
Next.js
Versions Affected
<14.2.31, >=15.0.0 <15.4.5
Published date
October 7, 2025
≈ Fix date
October 3, 2025
Fixed in
NES for Next.js
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Content Spoofing
Sign up for the latest vulnerability alerts fixed in
NES for Next.js
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.