CVE-2025-57752

Description

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

CVSS v3.1 Score

6.2

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weakness Type (CWE)

CWE-524 CWE-524

Affected Products

Vendor	Product	Versions
vercel	next.js	< 14.2.31
vercel	next.js	15.0.0 — 15.4.5

References

Advisories & Patches

https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd https://github.com/vercel/next.js/pull/82114 https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v https://vercel.com/changelog/cve-2025-57752

Frequently Asked Questions

What is CVE-2025-57752? +

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled. It has a CVSS v3.1 base score of 6.2 (MEDIUM).

How severe is CVE-2025-57752? +

CVE-2025-57752 has a CVSS v3.1 score of 6.2 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

What products are affected by CVE-2025-57752? +

CVE-2025-57752 affects products from vercel, specifically: next.js. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-57752? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-4233

An insufficient implementation of cache vulnerability in Palo Alto Networks Prisma® Access Browser enables users to bypass certain data control …

CVE-2025-64762 9.1

The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In …

CVE-2024-27917 7.5

Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie …

CVE-2024-45596 7.4

Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of …

CVE-2024-12314 7.2

The Rapid Cache plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including, 1.2.3. This …

CVE-2025-69202 6.5

Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service …