CVE-2025-57752 is a medium-severity vulnerability affecting the Next.js framework, specifically versions prior to 14.2.31 and versions from 15.0.0 up to but not including 15.4.5. Next.js is a widely used React framework for building full-stack web applications, and it includes an Image Optimization API that serves images efficiently. The vulnerability arises from a cache key confusion issue in the Image Optimization API routes. When images served by these API routes vary depending on request headers such as Cookie or Authorization, the caching mechanism may incorrectly reuse cached images across different users. This means that sensitive images intended for one user could be served to another unauthorized user, leading to a confidentiality breach. The root cause is that the cache keys do not sufficiently differentiate requests based on varying headers, causing the cache to return stale or incorrect content. This vulnerability is classified under CWE-524, which relates to the use of caches containing sensitive information without proper segregation. The CVSS v3.1 base score is 6.2, indicating a medium severity level, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). No known exploits are currently reported in the wild. The issue has been fixed in Next.js versions 14.2.31 and 15.4.5, and users are strongly advised to upgrade to these or later versions if they use the Image Optimization API with header-dependent image responses.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive image data served via Next.js applications. Organizations that rely on Next.js for web applications that serve personalized or sensitive images—such as healthcare providers, financial institutions, e-commerce platforms, or government services—could inadvertently expose private user data to unauthorized parties. This could lead to data privacy violations under GDPR, resulting in regulatory penalties and reputational damage. Since the vulnerability allows unauthorized users to receive cached images intended for others without requiring authentication or user interaction, the risk of data leakage is elevated. The impact is particularly critical for applications that use authentication tokens or cookies to deliver user-specific images, as these images could be cached and served incorrectly. Although the attack vector is local, meaning the attacker must have some level of access to the network or application environment, the ease of exploitation is low complexity and does not require privileges, increasing the threat surface. The lack of impact on integrity and availability means the primary concern is confidentiality loss. European organizations with public-facing Next.js applications or internal apps accessible within corporate networks should assess their exposure promptly.

1. Immediate upgrade: Organizations should upgrade all affected Next.js instances to versions 14.2.31 or 15.4.5 or later, where the vulnerability is patched. 2. Cache configuration review: Review and adjust cache key configurations to ensure that all headers influencing the response (e.g., Authorization, Cookie) are included in the cache key to prevent cross-user cache leakage. 3. Audit API routes: Identify all API routes serving images that vary based on request headers and verify that they are not vulnerable to cache key confusion. 4. Implement strict access controls: Restrict access to internal networks and API endpoints to reduce the risk of local attackers exploiting the vulnerability. 5. Monitoring and logging: Enable detailed logging of image API requests and cache hits/misses to detect anomalous access patterns that may indicate exploitation attempts. 6. Security testing: Conduct penetration testing focusing on cache behavior and header-based response variations to confirm the vulnerability is mitigated. 7. User education: Inform development teams about secure caching practices and the importance of including all relevant request headers in cache keys when serving sensitive content. 8. Incident response planning: Prepare to respond to potential data leakage incidents, including notification procedures compliant with GDPR.