1 min read
Link to headingSummary
A vulnerability affecting Next.js Image Optimization has been addressed. It impacted versions prior to v15.4.5 and v14.2.31, and involved a scenario where attacker-controlled external image servers could serve crafted responses that result in arbitrary file downloads with attacker-defined filenames and content.
Your Vercel deployments are safe by default. A patch applied on July 29th, 2025 eliminated exposure for all Vercel-hosted customers. Self-hosted deployments should upgrade to v15.4.5 or v14.2.31 to remediate the issue.
Link to headingImpact
Under certain configurations (images.domains or permissive images.remotePatterns), a malicious actor could:
Trigger the download of a file from a Next.js app with attacker-controlled content and filename
Exploit this behavior for phishing, drive-by downloads, or social engineering scenarios
This issue requires that:
The target app has external image domains or patterns configured
The remote server is attacker-controlled or attacker-influenced
A user is tricked into clicking a crafted URL
Link to headingResolution
The issue was resolved by updating the image optimizer logic to avoid falling back to the upstream’s Content-Type header when magic number detection fails. This ensures that responses are only cached when confidently identified as image content and do not mistakenly reuse cache keys for user-specific responses.
The fix was included in:
Next.js v15.4.5
Next.js v14.2.31
Link to headingCredit
Thanks to kristianmagas for the responsible disclosure.