Описание
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.
A vulnerability in Next.js Image Optimization allowed attacker-controlled image servers to trigger arbitrary file downloads with custom content and filenames. Exploitation required permissive images.domains or images.remotePatterns and user interaction.
Binary-Affected: Next.js
Upstream-version-introduced: v14.2.30
Upstream-version-fixed: v15.4.5 and v14.2.31
Отчет
This issue is classified as Moderate rather than Important because exploitation requires a very specific set of conditions: the target Next.js app must be configured with permissive external image domains or patterns, the attacker must control or influence the remote image server, and a user must be tricked into clicking a crafted link. The vulnerability does not provide direct code execution, privilege escalation, or server compromise—it primarily enables arbitrary file downloads, which increases the risk of phishing and social engineering rather than direct technical exploitation. Since the attack vector relies on user interaction and misconfiguration rather than a default behavior, the overall impact is contained, making it less severe than flaws that directly compromise application integrity or confidentiality.
Меры по смягчению последствий
Mitigation includes restricting images.domains and images.remotePatterns to trusted hosts only, avoiding permissive configurations, and monitoring logs for suspicious image fetches.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | firefox | Fix deferred | ||
| Red Hat Enterprise Linux 10 | thunderbird | Fix deferred | ||
| Red Hat Enterprise Linux 7 | firefox | Fix deferred | ||
| Red Hat Enterprise Linux 8 | firefox | Fix deferred | ||
| Red Hat Enterprise Linux 8 | thunderbird | Fix deferred | ||
| Red Hat Enterprise Linux 9 | dotnet7.0 | Fix deferred | ||
| Red Hat Enterprise Linux 9 | firefox | Fix deferred | ||
| Red Hat Enterprise Linux 9 | thunderbird | Fix deferred | ||
| Red Hat Trusted Artifact Signer | rhtas/rekor-search-ui-rhel9 | Fix deferred | ||
| streams for Apache Kafka 2 | com.github.streamshub-console | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
Связанные уязвимости
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.
Next.js Content Injection Vulnerability for Image Optimization
EPSS