PT-2025-35327 · Vercel · Next.Js
Reddounsf
·
Published
2025-08-29
·
Updated
2025-08-31
·
CVE-2025-57752
CVSS v3.1
6.2
6.2
Medium
| Base vector | Vector | AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Next.js versions prior to 14.2.31
Next.js versions 15.0.0 through 15.4.5
Description:
Next.js Image Optimization API routes are susceptible to a cache key confusion issue. When images returned from API routes vary based on request headers, such as `Cookie` or `Authorization`, responses may be incorrectly cached and served to unauthorized users.
Recommendations:
Upgrade to Next.js version 14.2.31 or later.
Upgrade to Next.js version 15.4.5 or later.
Fix
Weakness Enumeration
Related Identifiers
CVE-2025-57752
GHSA-G5QG-72QW-GW5V
Affected Products
Next.Js
References · 12
- https://nvd.nist.gov/vuln/detail/CVE-2025-57752 · Security Note
- https://osv.dev/vulnerability/GHSA-g5qg-72qw-gw5v · Vendor Advisory
- https://github.com/vercel/next.js⭐ 134083 🔗 29181 · Note
- https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v⭐ 134082 🔗 29180 · Note
- https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd⭐ 134082 🔗 29180 · Note
- https://github.com/vercel/next.js/pull/82114⭐ 134082 🔗 29180 · Note
- https://twitter.com/CFchangelog/status/1962282000208814289 · Twitter Post
- https://twitter.com/Cloudforce_One/status/1961551405116002497 · Twitter Post
- https://twitter.com/CVEnew/status/1961553067624612020 · Twitter Post
- https://vercel.com/changelog/cve-2025-57752 · Note
- https://twitter.com/VulmonFeeds/status/1961635870940795300 · Twitter Post
- https://t.me/CVEtracker/31292 · Telegram Post