CVE-2025-57752 — Next.js Affected by Cache Key Confusion for Image Optimization API Routes

Description

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as `Cookie` or `Authorization`), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57752)

How to fix CVE-2025-57752

To remediate CVE-2025-57752, upgrade the affected package to a fixed version below.

—upgrade to 14.2.31 or later

Is CVE-2025-57752 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 0.9.9, < 14.2.31

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.2	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-57752
PATCHgithub.com/vercel/next.js
WEBgithub.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
WEBgithub.com/vercel/next.js/pull/82114
WEB