CVE-2025-55173: Next.js Content Injection Vulnerability for Image Optimization

The vulnerability analysis began by examining the provided patch in commit 6b12c60c61ee80cb0443ccd20de82ca9b4422ddd. The patch clearly shows the removal of headers: _req.headers, from the fetchInternalImage function in packages/next/src/server/image-optimizer.ts. This is a strong indicator that the vulnerability lies in the forwarding of user-controlled headers to an internal service.

The commit message, "The headers were forwarded to the serverless function for "internal" images but not "external" images," corroborates this finding. It explicitly states that headers were being passed along for internal image requests. The added test case further confirms this by asserting that a cookie header is not forwarded to an internal API route after the fix.

While the vulnerability description mentions "attacker-controlled external image sources," the tangible evidence from the code change points directly to a flaw in the handling of internal image sources. The exploit scenario involves the image optimizer being used to make a request to an internal endpoint (like an API route). By forwarding headers, the optimizer allows an attacker to control the input to this internal endpoint, potentially leading to the generation of a malicious response containing a Content-Disposition header.

The root cause is the improper validation and sanitization of headers before they are passed to the internal request. The identified vulnerable function, fetchInternalImage, is the exact location where this unsafe header forwarding occurred. The fix prevents this by no longer passing the headers to the mocked request, thus mitigating the content injection vector.