#VU114573 Input validation error in Next.js - CVE-2025-55173

Vulnerability identifier: #VU114573

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-55173

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Next.js
Server applications / Frameworks for developing and running applications

Vendor: Zeit

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input within the Image Optimization feature. A remote attacker with control over external image sources can trigger file downloads with arbitrary content and filenames under specific configurations and perform phishing attacks.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Next.js: 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 14.2.0, 14.2.1, 14.2.2, 14.2.3, 14.2.4, 14.2.5, 14.2.6, 14.2.7, 14.2.8, 14.2.9, 14.2.10, 14.2.11, 14.2.12, 14.2.13, 14.2.14, 14.2.15, 14.2.16, 14.2.17, 14.2.18, 14.2.19, 14.2.20, 14.2.21, 14.2.22, 14.2.23, 14.2.24, 14.2.25, 14.2.26, 14.2.27, 14.2.28, 14.2.29, 14.2.30, 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.1.0, 15.1.1, 15.1.2, 15.1.3, 15.1.4, 15.1.5, 15.1.6, 15.1.7, 15.1.8, 15.2.0, 15.2.1, 15.2.2, 15.2.3, 15.2.4, 15.2.5, 15.3.0, 15.3.1, 15.3.2, 15.3.3, 15.3.4, 15.3.5, 15.4.0, 15.4.1, 15.4.2, 15.4.3, 15.4.4

---

External links
https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v
https://vercel.com/changelog/cve-2025-55173

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.