By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-57752

Cache Deception
Affects
Next.js
in
Next.js
No items found.
Versions
>=12.0.0 <14.2.31, >=15.0.0 <15.4.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Next.js is a React framework for building web applications.

A cache deception vulnerability (CVE-2025-57752) has been identified in the Image Optimization feature that could lead to authentication bypass and data leakage issues. This vulnerability stems from a mismatch between how cached images are stored versus how they're fetched.

Cache deception doesn’t necessarily involve injecting malicious payloads (like cache poisoning) into the cache for others; instead, it abuses caching rules/interpretation to cause legitimate sensitive content to become cached.

The issues lie in the image caching mechanism: while the cache key is generated using only image-specific parameters (URL, width, quality, MIME type), the actual image fetching process includes user-specific HTTP headers like authentication cookies and authorization tokens. This creates a scenario where one user's authenticated request can populate the cache, and subsequent users can access that same cached image without providing their own authentication credentials.

Per Mitre: Authorization Bypass can be the result of the Use of Cache Containing Sensitive Information. The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. A cache maintains a pool of objects, threads, connections, pages, financial data, passwords, or other resources to minimize the time it takes to initialize and access these resources. If the cache is accessible to unauthorized actors, attackers can read the cache and obtain this sensitive information.

This issue affects all versions of Next.js less than 14.2.31 and 15.x versions less than 15.4.5.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in the Image Optimization feature of the Next.js framework in the affected versions.

The vulnerability occurs when API endpoints serve dynamic image content that depends on request headers (such as Cookie or Authorization headers). When these images undergo Next.js Image Optimization, the system caches the optimized results using a cache key that excludes the original request headers. This creates two primary security risks:

  • Sensitive, user-specific image content may be inadvertently exposed to unauthorized users
  • Protected content intended for one user can leak to other users through shared cache layers (both CDN and application-level caches)

Attack Prerequisites:

  • No user interaction required to exploit the vulnerability
  • No special privileges needed beyond normal application access
  • Exploitation only requires that an authenticated user has previously accessed the image, thereby populating the cache

Mitigation

Next.js v13 and older versions have reached End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Migrate to a supported version of Next.js.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

Pink arrow
Pink arrow
CVE-2024-47831
CVE-2024-51479
CVE-2025-29927
CVE-2023-46298
CVE-2025-32421
CVE-2025-55173
CVE-2025-57752
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-57752
PROJECT Affected
Next.js
Versions Affected
>=12.0.0 <14.2.31, >=15.0.0 <15.4.5
Published date
October 7, 2025
≈ Fix date
October 3, 2025
Fixed in
NES for Next.js
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Cache Deception
Sign up for the latest vulnerability alerts fixed in
NES for Next.js
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.