प्लेटफ़ॉर्म
nodejs
घटक
next
में ठीक किया गया
15.0.1
14.2.32
14.2.31
CVE-2025-57752 affects Next.js Image Optimization, a feature used for optimizing images within Next.js applications. This vulnerability arises from a cache key confusion bug where images served from API routes that vary based on request headers, such as Cookie or Authorization, can be incorrectly cached and served to unauthorized users. Affected versions include those prior to v14.2.31 and v15.4.5; upgrading is the recommended solution.
The core impact of CVE-2025-57752 lies in the potential for unauthorized access to sensitive image data. If your Next.js application uses API routes to serve images and these routes incorporate request headers (like authentication tokens or user-specific preferences) into the image generation or selection process, an attacker could potentially manipulate the cache to receive images intended for other users. This could expose personally identifiable information (PII) embedded within the images or grant access to restricted content. The blast radius is limited to users who rely on API routes for image serving and whose routes are susceptible to header-dependent caching.
This vulnerability was publicly disclosed on August 29, 2025. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of the vulnerability and the lack of a public PoC, the exploitation probability is considered low to medium, pending further analysis and potential exploitation attempts.
Applications utilizing Next.js Image Optimization and serving images through API routes that incorporate request headers (e.g., authentication tokens, user preferences) are at risk. This includes applications with custom image generation logic within API routes and those relying on header-dependent image selection.
• nodejs / server:
# Check Next.js version
npm list next• nodejs / server:
# Review API route code for caching logic and request header usage
grep -r 'Cache-Control' ./routes• generic web:
# Inspect response headers for caching directives
curl -I https://your-nextjs-app.com/api/image-routedisclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (17% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-57752 is to upgrade to Next.js version 14.2.31 or later, or version 15.4.5 or later. If upgrading is not immediately feasible, consider implementing a workaround by explicitly disabling caching for API routes that serve images dependent on request headers. This can be achieved by setting the Cache-Control header to no-cache or no-store on the API route response. Additionally, review your API route logic to ensure proper authorization checks are in place before serving images. After upgrading, confirm the fix by testing image serving with different user authentication states and verifying that the correct images are served based on the request headers.
Actualice Next.js a la versión 14.2.31 o superior, o a la versión 15.4.5 o superior. Esto corrige la confusión de claves de caché en las rutas de la API de optimización de imágenes. Si utiliza rutas de API para servir imágenes que dependen de los encabezados de solicitud y tiene habilitada la optimización de imágenes, la actualización es crucial.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-57752 is a medium-severity vulnerability in Next.js Image Optimization where API routes serving images with request header dependencies can be incorrectly cached, potentially exposing data to unauthorized users.
You are affected if you use Next.js Image Optimization and serve images through API routes that rely on request headers (like Cookie or Authorization) and are running versions prior to 14.2.31 or 15.4.5.
Upgrade to Next.js version 14.2.31 or later, or version 15.4.5 or later. As a temporary workaround, disable caching for affected API routes by setting the Cache-Control header to no-cache or no-store.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-57752, but it is important to apply the fix or workaround proactively.
You can find the official advisory and more details on the Vercel Changelog: https://vercel.com/changelog/cve-2025-57752
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।