2392060 – (CVE-2025-57752) CVE-2025-57752 nextjs: Next.js Affected by Cache Key Confusion for Image Optimization API Routes

Bug 2392060 (CVE-2025-57752) - CVE-2025-57752 nextjs: Next.js Affected by Cache Key Confusion for Image Optimization API Routes

Summary: CVE-2025-57752 nextjs: Next.js Affected by Cache Key Confusion for Image Opti...

Keywords:
Status:	NEW
Alias:	CVE-2025-57752
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2392329 2392330 2392331 2392334 2392335 2392336 2392325 2392326 2392327 2392328 2392332 2392333
Blocks:
TreeView+	depends on / blocked

Reported:	2025-08-29 23:01 UTC by OSIDB Bzimport
Modified:	2025-09-09 11:26 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-08-29 23:01:13 UTC

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

Note You need to log in before you can comment on or make changes to this bug.