Summary Impact Resolution Credit References A vulnerability affecting has been addressed. It impacted versions prior to and , and involved a scenario where attacker-controlled external image servers could serve crafted responses that result in arbitrary file downloads with attacker-defined filenames and content.Next.js Image Optimizationv15.4.5v14.2.31 Your Vercel deployments are safe by default. A patch applied on July 29th, 2025 eliminated exposure for all Vercel-hosted customers. Self-hosted deployments should upgrade to v15.4.5 or v14.2.31 to remediate the issue. Under certain configurations ( or permissive ), a malicious actor could:images.domainsimages.remotePatterns This issue requires that: The issue was resolved by updating the image optimizer logic to avoid falling back to the upstream’s header when magic number detection fails.

This ensures that responses are only cached when confidently identified as image content and do not mistakenly reuse cache keys for user-specific responses.Content-Type The fix was included in: Thanks to for the responsible disclosure.kristianmagas Read more Trigger the download of a file from a Next.js app with attacker-controlled content and…