CVE-2025-57752
📋 TL;DR
Next.js Image Optimization API routes have a cache key confusion vulnerability that could serve cached image responses to unauthorized users. This affects applications using API routes to serve images that vary based on request headers (like authentication tokens) with image optimization enabled. Users of Next.js versions before 14.2.31 and 15.0.0-15.4.5 are impacted.
💻 Affected Systems
- Next.js
📦 What is this software?
Next.js by Vercel
Next.js by Vercel
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users access sensitive images intended for authenticated users, potentially exposing confidential data, user information, or proprietary content.
Likely Case
Unauthorized users receive cached images that should be restricted, leading to information disclosure of user-specific content.
If Mitigated
No impact if images don't vary by headers or image optimization is disabled for sensitive API routes.
🎯 Exploit Status
Exploitation requires accessing cached images that should be restricted, which is straightforward if the vulnerability exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.2.31 and 15.4.5
Vendor Advisory: https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v
Restart Required: Yes
Instructions:
1. Update Next.js package to version 14.2.31 or 15.4.5 using npm or yarn. 2. Restart the application server. 3. Clear existing image caches if necessary.
🔧 Temporary Workarounds
Disable Image Optimization for Sensitive API Routes
allTemporarily disable image optimization for API routes that serve images based on request headers.
Modify Next.js configuration to set 'unoptimized: true' for affected image components or disable optimization globally if acceptable.
Implement Custom Cache Key Logic
allAdd custom cache key generation that includes relevant headers to prevent confusion.
Implement middleware or custom image loader that generates cache keys incorporating authentication headers.
🧯 If You Can't Patch
- Disable image optimization entirely in Next.js configuration for all API routes serving sensitive images.
- Implement server-side authentication checks that bypass cache for header-dependent images, ensuring fresh responses for each request.
🔍 How to Verify
Check if Vulnerable:
Check Next.js version in package.json and verify if API routes serve images with header-dependent content and image optimization enabled.Check Version:
npm list next or check package.json for 'next' versionVerify Fix Applied:
Confirm Next.js version is 14.2.31+ or 15.4.5+ and test that cached images are not served incorrectly to unauthorized users.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to image API routes from unauthorized IPs, repeated requests to same image endpoints with different headers.
Network Indicators:
- Multiple requests to image optimization endpoints with varying Authorization/Cookie headers from same source.
SIEM Query:
source="nextjs" AND (uri="/_next/image*" OR uri="/api/*") AND status=200 AND (user_agent NOT CONTAINS "authorized" OR auth_header="")