CVE-2025-57752 – next

Package

Manager: npm
Name: next
Vulnerable Version: >=0.9.9 <14.2.31 || >=15.0.0 <15.4.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00016 pctl0.02467

Details

Next.js Affected by Cache Key Confusion for Image Optimization API Routes A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as `Cookie` or `Authorization`), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57752)

Metadata

Created: 2025-08-29T22:06:22Z
Modified: 2025-09-03T13:00:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-g5qg-72qw-gw5v/GHSA-g5qg-72qw-gw5v.json
CWE IDs: ["CWE-524"]
Alternative ID: GHSA-g5qg-72qw-gw5v
Finding: F065
Auto approve: 1