Image Optimization API Vulnerability in Next.js by Vercel
CVE-2025-57752

6.2MEDIUM

Key Information:

Vendor

Vercel
Status
Next.js
Vendor
CVE Published:
29 August 2025

What is CVE-2025-57752?

A cache key confusion vulnerability exists in the Next.js Image Optimization API routes, impacting versions before 14.2.31 and from 15.0.0 to before 15.4.5. This issue arises when images returned from API routes vary based on specific request headers, such as Cookie or Authorization. Consequently, these responses may be incorrectly cached, resulting in unauthorized users being served sensitive images. To mitigate this risk, users are strongly advised to update to Next.js versions 14.2.31 or 15.4.5 or later, especially if their applications utilize API routes reliant on such request headers for image optimization.

Affected Version(s)

next.js >= 15.0.0, < 15.4.5 < 15.0.0, 15.4.5

next.js < 14.2.31 < 14.2.31

References

https://github.com/vercel/next.js/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/vercel/next.js/pull/82114
x_refsource_MISC
https://github.com/vercel/next.js/commit/6b12c60c61ee80cb...
x_refsource_MISC

CVSS V3.1

Score:
6.2
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-57752 : Image Optimization API Vulnerability in Next.js by Vercel