CVE-2025-57752: Next.js Affected by Cache Key Confusion for Image Optimization API Routes
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.
All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
More details at Vercel Changelog
References
- github.com/advisories/GHSA-g5qg-72qw-gw5v
- github.com/vercel/next.js
- github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
- github.com/vercel/next.js/pull/82114
- github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v
- nvd.nist.gov/vuln/detail/CVE-2025-57752
- vercel.com/changelog/cve-2025-57752
Code Behaviors & Features
Detect and mitigate CVE-2025-57752 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →