CVE-2025-57752 (GCVE-0-2025-57752)

Vulnerability from cvelistv5 – Published: 2025-08-29 22:06 – Updated: 2025-09-02 19:23
VLAI?
Summary
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
Severity ?
6.2 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-524 - Use of Cache Containing Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
vercel next.js Affected: >= 15.0.0, < 15.4.5
Affected: < 14.2.31
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-57752",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-02T19:23:30.318403Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-02T19:23:39.835Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "next.js",
          "vendor": "vercel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 15.0.0, \u003c 15.4.5"
            },
            {
              "status": "affected",
              "version": "\u003c 14.2.31"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-524",
              "description": "CWE-524: Use of Cache Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-29T22:06:27.240Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v"
        },
        {
          "name": "https://github.com/vercel/next.js/pull/82114",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vercel/next.js/pull/82114"
        },
        {
          "name": "https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd"
        },
        {
          "name": "https://vercel.com/changelog/cve-2025-57752",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://vercel.com/changelog/cve-2025-57752"
        }
      ],
      "source": {
        "advisory": "GHSA-g5qg-72qw-gw5v",
        "discovery": "UNKNOWN"
      },
      "title": "Next.js Affected by Cache Key Confusion for Image Optimization API Routes"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-57752",
    "datePublished": "2025-08-29T22:06:27.240Z",
    "dateReserved": "2025-08-19T15:16:22.916Z",
    "dateUpdated": "2025-09-02T19:23:39.835Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-57752\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-29T22:15:31.963\",\"lastModified\":\"2025-09-08T16:43:50.330\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.5,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-524\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"14.2.31\",\"matchCriteriaId\":\"88CF5491-9D3E-4538-B7F4-9B2FACB57878\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"15.0.0\",\"versionEndExcluding\":\"15.4.5\",\"matchCriteriaId\":\"2FE23799-8927-4736-934B-BC2BB6F9BB63\"}]}]}],\"references\":[{\"url\":\"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vercel/next.js/pull/82114\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://vercel.com/changelog/cve-2025-57752\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-57752\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-02T19:23:30.318403Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-02T19:23:34.653Z\"}}], \"cna\": {\"title\": \"Next.js Affected by Cache Key Confusion for Image Optimization API Routes\", \"source\": {\"advisory\": \"GHSA-g5qg-72qw-gw5v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.2, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"vercel\", \"product\": \"next.js\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 15.0.0, \u003c 15.4.5\"}, {\"status\": \"affected\", \"version\": \"\u003c 14.2.31\"}]}], \"references\": [{\"url\": \"https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v\", \"name\": \"https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/vercel/next.js/pull/82114\", \"name\": \"https://github.com/vercel/next.js/pull/82114\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd\", \"name\": \"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://vercel.com/changelog/cve-2025-57752\", \"name\": \"https://vercel.com/changelog/cve-2025-57752\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-524\", \"description\": \"CWE-524: Use of Cache Containing Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-29T22:06:27.240Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-57752\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-02T19:23:39.835Z\", \"dateReserved\": \"2025-08-19T15:16:22.916Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-29T22:06:27.240Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.