CVE-2025-57752 is a medium-severity vulnerability affecting the Next.js framework, specifically its Image Optimization API routes. Next.js is a widely used React framework for building full-stack web applications. The vulnerability arises from a cache key confusion issue in versions prior to 14.2.31 and between 15.0.0 and 15.4.5. When images served via API routes vary based on request headers such as Cookie or Authorization, the caching mechanism may incorrectly serve cached images intended for one user to another unauthorized user. This occurs because the cache key does not properly incorporate varying request headers, leading to sensitive image data leakage. The vulnerability is classified under CWE-524, which concerns the use of caches containing sensitive information without proper segregation. The flaw does not require authentication or user interaction to exploit, but the attack vector is local (AV:L), meaning the attacker must have some level of access to the system or network where the vulnerable Next.js application is deployed. The impact is primarily on confidentiality, as unauthorized users may gain access to sensitive images. Integrity and availability are not affected. The issue has been addressed in Next.js versions 14.2.31 and 15.4.5, and users are strongly advised to upgrade to these or later versions to mitigate the risk. No known exploits are currently reported in the wild.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Next.js for web applications that serve sensitive or personalized images via API routes. Unauthorized disclosure of sensitive images could lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential legal consequences. Industries such as healthcare, finance, e-commerce, and government services that handle personal or confidential visual data are particularly at risk. Since the vulnerability allows unauthorized access to cached images without authentication, attackers with network access or local access to the application environment could exploit this to harvest sensitive information. This could facilitate further targeted attacks or data breaches. The medium CVSS score (6.2) reflects a moderate risk level, but the actual impact depends on the nature of the images served and the sensitivity of the data involved. Organizations using affected Next.js versions should prioritize patching to prevent potential data leakage and ensure compliance with European data protection standards.

1. Upgrade Next.js to version 14.2.31 or later, or 15.4.5 or later, as these versions contain the fix for the cache key confusion vulnerability. 2. Review and audit API routes serving images to ensure they do not rely on request headers for varying responses unless absolutely necessary. 3. Implement strict cache control headers and validation to prevent unauthorized caching of sensitive content. 4. Use network segmentation and access controls to limit local or network access to the application environment, reducing the risk of exploitation. 5. Monitor application logs and cache behavior for anomalies that could indicate unauthorized access or cache misuse. 6. Conduct security testing and code reviews focusing on caching mechanisms and header-based content variation to identify similar issues. 7. Educate development teams about secure caching practices and the risks of serving sensitive data via cacheable API routes. 8. If upgrading is not immediately feasible, consider disabling image optimization API routes or restricting their use to non-sensitive images until patched.