CVE-2025-57752
MEDIUM6.2EPSS 0.14%Next.js Affected by Cache Key Confusion for Image Optimization API Routes
發布日:2025/8/29修改日:2026/2/4
描述
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as `Cookie` or `Authorization`), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57752)
受影響套件(1)
- npm/next>= 0.9.9, < 14.2.31
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-57752
- PATCHhttps://github.com/vercel/next.js
- WEBhttps://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
- WEBhttps://github.com/vercel/next.js/pull/82114
- WEBhttps://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v
- WEBhttps://vercel.com/changelog/cve-2025-57752