Platform
nodejs
Component
next
Fixed in
15.0.1
14.2.32
14.2.31
CVE-2025-57752 affects Next.js Image Optimization, a feature used for optimizing images within Next.js applications. This vulnerability arises from a cache key confusion bug where images served from API routes that vary based on request headers, such as Cookie or Authorization, can be incorrectly cached and served to unauthorized users. Affected versions include those prior to v14.2.31 and v15.4.5; upgrading is the recommended solution.
The core impact of CVE-2025-57752 lies in the potential for unauthorized access to sensitive image data. If your Next.js application uses API routes to serve images and these routes incorporate request headers (like authentication tokens or user-specific preferences) into the image generation or selection process, an attacker could potentially manipulate the cache to receive images intended for other users. This could expose personally identifiable information (PII) embedded within the images or grant access to restricted content. The blast radius is limited to users who rely on API routes for image serving and whose routes are susceptible to header-dependent caching.
This vulnerability was publicly disclosed on August 29, 2025. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of the vulnerability and the lack of a public PoC, the exploitation probability is considered low to medium, pending further analysis and potential exploitation attempts.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-57752 is to upgrade to Next.js version 14.2.31 or later, or version 15.4.5 or later. If upgrading is not immediately feasible, consider implementing a workaround by explicitly disabling caching for API routes that serve images dependent on request headers. This can be achieved by setting the Cache-Control header to no-cache or no-store on the API route response. Additionally, review your API route logic to ensure proper authorization checks are in place before serving images. After upgrading, confirm the fix by testing image serving with different user authentication states and verifying that the correct images are served based on the request headers.
Update Next.js to version 14.2.31 or higher, or to version 15.4.5 or higher. This corrects the cache key confusion in Image Optimization API routes. If you use API routes to serve images that depend on request headers and have image optimization enabled, the update is crucial.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-57752 is a medium-severity vulnerability in Next.js Image Optimization where API routes serving images with request header dependencies can be incorrectly cached, potentially exposing data to unauthorized users.
You are affected if you use Next.js Image Optimization and serve images through API routes that rely on request headers (like Cookie or Authorization) and are running versions prior to 14.2.31 or 15.4.5.
Upgrade to Next.js version 14.2.31 or later, or version 15.4.5 or later. As a temporary workaround, disable caching for affected API routes by setting the Cache-Control header to no-cache or no-store.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-57752, but it is important to apply the fix or workaround proactively.
You can find the official advisory and more details on the Vercel Changelog: https://vercel.com/changelog/cve-2025-57752
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.