Next.js Image Optimization Content Injection Vulnerability

A content injection vulnerability has been identified in the Image Optimization feature of Next.js, a popular React framework for full-stack web applications. This issue affects Next.js versions prior to 14.2.31 and from 15.0.0 to before 15.4.5. The vulnerability allows attacker-controlled external image sources to initiate file downloads containing arbitrary content and filenames, under certain configurations. This behavior could be exploited for phishing attempts or to deliver malicious files.

Impact

Exploitation of this vulnerability could lead to unauthorized file downloads from a Next.js application, with content and filenames controlled by an attacker. This could be used for phishing, drive-by downloads, or social engineering attacks.

Reproduction

To reproduce this vulnerability, configure a Next.js application to allow external image domains or patterns. Then, use an attacker-controlled image source to trigger a download through the Next.js Image Optimization API. If the 'cookie' header is included in the request, the response will be a 400 status, indicating that the header was not forwarded. However, if the 'cookie' header is not present, the response will be a 401 status, stating that the cookie was not found.

Remediation

Users are advised to upgrade to Next.js versions 14.2.31 or 15.4.5. Those relying on 'images.domains' or 'images.remotePatterns' should verify that external image sources are strictly validated.