#VU114574 Use of cache containing sensitive information in Next.js - CVE-2025-57752
Vulnerability identifier: #VU114574
Vulnerability risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-524
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Next.js
Server applications /
Frameworks for developing and running applications
Vendor: Zeit
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper cache management in Image Optimization API. A remote attacker can gain access to sensitive images cached by the application.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Next.js: 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.1.0, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 14.2.0, 14.2.1, 14.2.2, 14.2.3, 14.2.4, 14.2.5, 14.2.6, 14.2.7, 14.2.8, 14.2.9, 14.2.10, 14.2.11, 14.2.12, 14.2.13, 14.2.14, 14.2.15, 14.2.16, 14.2.17, 14.2.18, 14.2.19, 14.2.20, 14.2.21, 14.2.22, 14.2.23, 14.2.24, 14.2.25, 14.2.26, 14.2.27, 14.2.28, 14.2.29, 14.2.30, 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.1.0, 15.1.1, 15.1.2, 15.1.3, 15.1.4, 15.1.5, 15.1.6, 15.1.7, 15.1.8, 15.2.0, 15.2.1, 15.2.2, 15.2.3, 15.2.4, 15.2.5, 15.3.0, 15.3.1, 15.3.2, 15.3.3, 15.3.4, 15.3.5, 15.4.0, 15.4.1, 15.4.2, 15.4.3, 15.4.4
External links
https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
https://github.com/vercel/next.js/pull/82114
https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v
https://vercel.com/changelog/cve-2025-57752
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
