CVE-2025-57752
MEDIUM6.2EPSS 0.14%Next.js Affected by Cache Key Confusion for Image Optimization API Routes
Published: 8/29/2025Modified: 2/4/2026
Description
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as `Cookie` or `Authorization`), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57752)
Affected packages (1)
- npm/next>= 0.9.9, < 14.2.31
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-57752
- PATCHhttps://github.com/vercel/next.js
- WEBhttps://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
- WEBhttps://github.com/vercel/next.js/pull/82114
- WEBhttps://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v
- WEBhttps://vercel.com/changelog/cve-2025-57752