CVE-2025-57752
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2025-09-08

Assigner: GitHub, Inc.

Description
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2025-09-08
Generated
2026-05-07
AI Q&A
2025-08-30
EPSS Evaluated
2026-05-05
NVD
CVE-2025-57752
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vercel next.js to 14.2.31 (exc)
vercel next.js From 15.0.0 (inc) to 15.4.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a cache key confusion issue in Next.js Image Optimization API routes. When images served by these API routes vary based on request headers like Cookie or Authorization, the caching mechanism can mistakenly serve cached images intended for one user to another unauthorized user. This happens because the cache key does not properly distinguish between different header values, leading to potential unauthorized access to images.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized users receiving images that were meant for other users, potentially exposing sensitive or private image data. This can compromise user privacy and data confidentiality if images are personalized or restricted based on user credentials or session information.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability could negatively impact compliance with standards like GDPR and HIPAA because it may result in unauthorized disclosure of personal or sensitive information through improperly cached images. Organizations subject to these regulations must ensure that personal data is protected from unauthorized access, and this vulnerability undermines that requirement.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Next.js to version 14.2.31 or 15.4.5 or later. This fixes the cache key confusion bug in the Image Optimization API routes. Additionally, review your use of API routes serving images that vary based on request headers such as Cookie or Authorization, and ensure image optimization is properly configured.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart