CVE-2025-57752
Cache Key Confusion vulnerability in next (npm)

Cache Key Confusion No known exploit Fixable By Resolved Security

What is CVE-2025-57752 About?

A cache key confusion bug in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. This bug can lead to sensitive images being incorrectly cached and served to unauthorized users if images returned from API routes vary based on request headers like `Cookie` or `Authorization`. Exploitation is complex, requiring specific conditions related to API routes and image optimization.

Affected Software

  • next
    • >0.9.9, <14.2.31
    • >15.0.0, <15.4.5

Technical Details

The vulnerability in Next.js Image Optimization is a cache key confusion bug. This issue arises when images served through Next.js API routes have their content or availability depend on specific request headers, such as Cookie or Authorization. The image optimization component, rather than generating a unique cache key that properly incorporates these sensitive headers, generates an insufficient key. Consequently, if a privileged user makes a request for an image that is subject to authorization, the response (the authorized image) might be cached under a generic or non-specific key. Subsequently, an unauthorized user requesting the same image path might then receive the cached, sensitive image instead of an access-denied response, because the cache key confusion bypasses the intended authorization check performed at the API route level.

What is the Impact of CVE-2025-57752?

Successful exploitation may allow attackers to gain unauthorized access to sensitive images, leading to information disclosure or privacy breaches.

What is the Exploitability of CVE-2025-57752?

Exploitation of this cache key confusion vulnerability is complex. It requires the Next.js application to be specifically configured to use Image Optimization, and crucially, to serve images from API routes whose content or access control is dependent on sensitive request headers (e.g., Cookie, Authorization). An attacker needs to understand the caching logic and how these headers influence the returned image. Authentication might be required to initially access a sensitive image and cause it to be cached. The goal then would be for an unauthenticated or unauthorized user to trigger the cache hit. This is a remote exploitation scenario. Special conditions involve ensuring the API routes are indeed vulnerable in their header-dependent image serving and that Next.js Image Optimization is enabled. The likelihood of exploitation increases if developers are unaware of this specific caching behavior and design API routes for images without explicitly addressing cache key variations for authenticated content.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2025-57752?

A Fix by Resolved Security Exists!
Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

This patch removes forwarding of user-supplied HTTP headers (including cookies) when the Next.js image optimizer fetches internal images, preventing user-specific or sensitive information from being leaked to internal endpoints. This mitigates CVE-2025-57752, which allowed attackers to abuse the image optimizer to access protected API routes or leak confidential data by injecting headers into internal requests, thereby enforcing better isolation between user requests and internal server-side operations.

Available Upgrade Options

  • next
    • >0.9.9, <14.2.31 → Upgrade to 14.2.31
  • next
    • >15.0.0, <15.4.5 → Upgrade to 15.4.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-57752?

Similar Vulnerabilities: CVE-2023-46738 , CVE-2022-41913 , CVE-2022-38706 , CVE-2021-41189 , CVE-2021-39148

All Rights reserved 2025
Privacy Policy