Main Vulnerability Database Vulnerabilities #VU114573

#VU114573 Input validation error in Next.js - CVE-2025-55173

Published: August 30, 2025

Vulnerability identifier: #VU114573

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-55173

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Next.js

Software vendor:
vercel

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input within the Image Optimization feature. A remote attacker with control over external image sources can trigger file downloads with arbitrary content and filenames under specific configurations and perform phishing attacks.

Remediation

Install updates from vendor's website.

External links

https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v
https://vercel.com/changelog/cve-2025-55173

#VU114573 Input validation error in Next.js - CVE-2025-55173

Description

Remediation

External links

Please verify you're human