Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-57752

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-29 Aug, 2025 | 22:06
Updated At-02 Sep, 2025 | 19:23
Rejected At-
Credits

Next.js Affected by Cache Key Confusion for Image Optimization API Routes

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:29 Aug, 2025 | 22:06
Updated At:02 Sep, 2025 | 19:23
Rejected At:
▼CVE Numbering Authority (CNA)
Next.js Affected by Cache Key Confusion for Image Optimization API Routes

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

Affected Products
Vendor
vercel
Product
next.js
Versions
Affected
  • >= 15.0.0, < 15.4.5
  • < 14.2.31
Problem Types
TypeCWE IDDescription
CWECWE-524CWE-524: Use of Cache Containing Sensitive Information
Type: CWE
CWE ID: CWE-524
Description: CWE-524: Use of Cache Containing Sensitive Information
Metrics
VersionBase scoreBase severityVector
3.16.2MEDIUM
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 6.2
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v
x_refsource_CONFIRM
https://github.com/vercel/next.js/pull/82114
x_refsource_MISC
https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
x_refsource_MISC
https://vercel.com/changelog/cve-2025-57752
x_refsource_MISC
Hyperlink: https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/vercel/next.js/pull/82114
Resource:
x_refsource_MISC
Hyperlink: https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
Resource:
x_refsource_MISC
Hyperlink: https://vercel.com/changelog/cve-2025-57752
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:29 Aug, 2025 | 22:15
Updated At:08 Sep, 2025 | 16:43

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.2MEDIUM
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 6.2
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches
vercel
vercel
>>next.js>>Versions before 14.2.31(exclusive)
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel
vercel
>>next.js>>Versions from 15.0.0(inclusive) to 15.4.5(exclusive)
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-524Primarysecurity-advisories@github.com
CWE ID: CWE-524
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422dddsecurity-advisories@github.com
Patch
https://github.com/vercel/next.js/pull/82114security-advisories@github.com
Patch
https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5vsecurity-advisories@github.com
Vendor Advisory
https://vercel.com/changelog/cve-2025-57752security-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/vercel/next.js/pull/82114
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://vercel.com/changelog/cve-2025-57752
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found