Link to the code that reproduces this issue

https://github.com/jakobmerrild/next-15.4.5-public-image-issue

To Reproduce

1. Enable corepack if not already enabled
2. Install packages yarn install
3. Build using yarn build
4. Build docker image docker build . -t my-tag
5. Run docker image docker run -p 3000:3000 my-tag
6. Open http://localhost:3000
7. Log in with any credentials (resolver doesn't check them)
   a. Notice console output from the server: The requested resource isn't a valid image for /us.png received null

If docker isn't available you can replace steps 4-5 with

1. Copy public folder and static resource to standalone server cp -r ./public .next/standalone && cp -r .next/static .next/standalone
2. Start standalone server node .next/standalone/server.js

Current vs. Expected behavior

Images that are served from a route protected in the middleware.ts by using AuthJS are not served because the image optimizer fails to forward the auth headers when trying to fetch the image.

Regression introduced in #82114 (backported in #82175)

Instead those images are broken and the server logs

The requested resource isn't a valid image for /us.png received null
The requested resource isn't a valid image for /potato.jpg received null

Provide environment information

Info from application where we saw this issue, not the replication repo

Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 24.6.0: Mon Jul 14 11:30:29 PDT 2025; root:xnu-11417.140.69~1/RELEASE_ARM64_T6000
  Available memory (MB): 32768
  Available CPU cores: 10
Binaries:
  Node: 24.0.2
  npm: 11.3.0
  Yarn: 4.9.2
  pnpm: 10.6.4
Relevant Packages:
  next: 15.4.6
  eslint-config-next: 15.4.6
  react: 19.1.1
  react-dom: 19.1.1
  typescript: 5.9.2
Next.js Config:
  output: standalone

Which area(s) are affected? (Select all that apply)

Image (next/image)

Which stage(s) are affected? (Select all that apply)

Other (Deployed), next build (local)

Additional context

The issue started after upgrading from Next 15.3.5 to 15.4.5 in my project.

See comment: #82610 (comment)

Potential workaround

If the images can be safely served without authorization then moving the images to a route that can be safely ignored by the middleware, e.g. /public/images and updating the middleware matcher to ignore that route e.g.

export const config = {
    matcher: [
        /*
         * Match all request paths except for the ones starting with:
         * - api (API routes)
         * - login (The login page)
         * - health (Health check route)
         * - _next/static (static files)
         * - _next/image (image optimization files)
         * - favicon.ico (favicon file)
         * - images (public images)
         */
        '/((?!login|api|health|_next/static|_next/image|images|favicon.ico).*)',
    ],
};

Will allow the images to be served though obviously with the loss of authorization for the route.