Skip to main content

Next.js CVE-2025-55173

MEDIUM
Improper Input Validation (CWE-20)
2025-08-29 security-advisories@github.com
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Red Hat
4.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 19:09 vuln.today
Patch released
Mar 28, 2026 - 19:09 nvd
Patch available
CVE Published
Aug 29, 2025 - 22:15 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.

AnalysisAI

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-20. Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. Affected products include: Vercel Next.Js. Version information: before 14.2.31.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-29927 CRITICAL POC
9.1 Mar 21

Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subreques

CVE-2017-16877 HIGH POC
7.5 Nov 17

ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to

CVE-2025-57822 MEDIUM POC
6.5 Aug 29

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.5), this vulnerabil

CVE-2025-6087 CRITICAL
9.1 Jun 16

A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected sy

CVE-2026-41248 CRITICAL
9.1 Apr 24

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c

CVE-2025-48947 HIGH
7.7 Jun 04

A security vulnerability in Next.js applications. In Auth0 Next.js SDK (CVSS 7.7). High severity vulnerability requiring

CVE-2025-32421 LOW
3.7 May 14

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 3.7), this vulnerability

CVE-2025-30218 LOW
1.7 Apr 02

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 1.7), this vulnerability

CVE-2025-57752 MEDIUM
6.2 Aug 29

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.2), this vulnerabil

CVE-2025-48068 LOW
2.3 May 30

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 2.3), this vulnerability

CVE-2024-56332 MEDIUM
5.3 Jan 03

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 5.3), this vulnerabil

Vendor StatusVendor

Share

CVE-2025-55173 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy