GHSA-g5qg-72qw-gw5v

Source

https://github.com/advisories/GHSA-g5qg-72qw-gw5v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-g5qg-72qw-gw5v/GHSA-g5qg-72qw-gw5v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g5qg-72qw-gw5v

Aliases

CVE-2025-57752

Published

2025-08-29T22:06:22Z

Modified

2025-08-29T22:42:23.282216Z

Severity

6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Next.js Affected by Cache Key Confusion for Image Optimization API Routes

Details

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

Database specific

{
    "severity": "MODERATE",
    "github_reviewed_at": "2025-08-29T22:06:22Z",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-524"
    ],
    "github_reviewed": true
}

References

Affected packages

npm / next

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

14.2.31

npm / next

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.0.0

Fixed

15.4.5

Database specific

{
    "last_known_affected_version_range": "<= 15.4.4"
}