CVE-2025-57752: 
ASP.NET Core vulnerability analysis and mitigation

Next.js, a React framework for building full-stack web applications, disclosed a cache key confusion vulnerability (CVE-2025-57752) affecting versions before 14.2.31 and from 15.0.0 to before 15.4.5. The vulnerability was discovered on August 29, 2025, and involves the Next.js Image Optimization API routes. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users (NVD, GitHub Advisory).

The vulnerability lies in the Next.js Image Optimizer's handling of images served from internal API routes. The root cause was identified in the fetchInternalImage function within packages/next/src/server/image-optimizer.ts. This function was forwarding the incoming request's headers to the internal API route, causing the route to generate user-specific images. However, the resulting optimized image was stored in the cache using a key that did not include the headers that influenced the image content. The vulnerability has been assigned a CVSS v3.1 base score of 6.2 (Moderate) with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory, Vercel Changelog).

The vulnerability could lead to unauthorized disclosure of user-specific or protected image content and cross-user leakage of conditional content via CDN or internal cache. This issue arises without user interaction and requires no elevated privileges, only a prior authorized request to populate the cache. It's worth noting that Vercel deployments were never impacted by this vulnerability (Vercel Changelog).

The issue has been fixed in Next.js versions 14.2.31 and 15.4.5. The resolution ensures that request headers aren't forwarded to the request that is proxied to the image endpoint, preventing the image endpoint from serving images that require authorization data and thus cannot be cached. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled (GitHub Advisory, Vercel Changelog).