Link to heading Summary A vulnerability affecting Next.js Image Optimization has been addressed. It impacted versions prior to v15.4.5 and v14.2.31 , and involved a scenario where attacker-controlled external image servers could serve crafted responses that result in arbitrary file downloads with attacker-defined filenames and content. Your Vercel deployments are safe by default. A patch applied on July 29th, 2025 eliminated exposure for all Vercel-hosted customers. Self-hosted deployments should upgrade to v15.4.5 or v14.2.31 to remediate the issue. Link to heading Impact Under certain configurations ( images.domains or permissive images.remotePatterns ), a malicious actor could: Trigger the download of a file from a Next.js app with attacker-controlled content and filename Exploit this behavior for phishing, drive-by downloads, or social engineering scenarios This issue requires that: The target app has external image domains or patterns configured The remote server is attacker-controlled or…