VulWall Team March 19, 2026 5 min read

Next.js Image Cache Leak Can Expose Private Images to Wrong Users

Your website uses Next.js, a popular framework for building web apps. A flaw in how it caches (stores and reuses) images means that a private image loaded by one logged-in user could be accidentally served to a different user who shouldn't see it. Think of it like a photo printing kiosk that accidentally hands your photos to the next person in line. This only affects sites that serve different images to different users based on who is logged in.

OWASP A02 Effort: small Exploitable
cve cache-deception cwe-524 next.js image-optimization information-disclosure authentication-bypass

Business Impact And Actions

high urgency

Business Impact

If your app serves user-specific images through Next.js's built-in image optimization — such as profile pictures, documents, or any image that changes based on who is logged in — those images could be exposed to other users. This is a data privacy issue that could trigger compliance concerns (e.g., GDPR) and erode customer trust if sensitive images are leaked. Sites that serve the same images to all users are not affected.

What To Do

  1. Ask your developer to check which version of Next.js your site is running — if it's below 14.2.31 (or between 15.0.0 and 15.4.4), it needs to be updated.
  2. Have your developer upgrade Next.js to version 14.2.31 or 15.4.5 — this is a straightforward package update, typically under an hour.
  3. Ask your developer whether your app serves different images to different users based on login status. If it does, treat this as a priority fix. If all images are public and the same for everyone, your risk is very low.
  4. After the upgrade, ask your developer to confirm the new version is live in production and run a quick smoke test to make sure images still load correctly.

Next.js Cache Key Confusion in Image Optimization API Routes (CVE-2025-57752)

medium severity CVSS 5.3-6.5

Vulnerability Explanation

The Next.js Image Optimization pipeline contains a cache key confusion bug in the `fetchInternalImage` function (`packages/next/src/server/image-optimizer.ts`). When an internal API route is used as an image source, the optimizer forwards the incoming request's headers (e.g., `Cookie`, `Authorization`) to the API route, allowing the route to generate user-specific image content. However, the resulting optimized image is stored in the cache using a key derived only from image parameters (URL, width, quality, MIME type) — not from the request headers that influenced the image content. This means the first authenticated user to request a protected image populates the cache, and subsequent unauthenticated or differently-authenticated users receive that same cached image without needing valid credentials.

Root Cause

The cache key for optimized images was computed from image-level parameters only (URL, width, quality, MIME type), without accounting for request headers that the upstream API route used to produce user-specific content. This mismatch between cache key scope and content variation scope is a classic cache deception pattern (CWE-524).

Technical Impact

An unauthenticated or differently-authenticated user can receive image content intended for another user. This enables unauthorized disclosure of user-specific or protected image content, and cross-user leakage of conditional content via CDN or internal application cache. No elevated privileges or user interaction are required beyond a prior authorized request having populated the cache.

Severity Justification

Exploitability is conditional: the vulnerability only manifests when API routes serve header-dependent images through Next.js Image Optimization. No active exploitation or user interaction is required once the cache is primed, but the attack surface is limited to apps with this specific architecture. GitHub Advisory rates this as Moderate severity.

Affected Components

  • next >= 0.9.9, < 14.2.31
  • next >= 15.0.0, < 15.4.5

Remediation Steps

  1. Identify your current Next.js version by running `npm list next` or checking `package.json`.
  2. If on the 14.x line, upgrade to 14.2.31: `npm install next@14.2.31` (or `yarn add next@14.2.31`).
  3. If on the 15.x line, upgrade to 15.4.5: `npm install next@15.4.5` (or `yarn add next@15.4.5`).
  4. If on Next.js 13 or older (end-of-life), plan a migration to v14 or v15. As an interim workaround, avoid serving header-dependent images through Next.js Image Optimization — serve them directly from your API route without using the `<Image>` component or `/_next/image` endpoint.
  5. Rebuild and redeploy your application. Clear any existing image optimization cache (delete the `.next/cache/images` directory) to purge any potentially leaked cached images.
  6. Verify the fix by checking `npm list next` in production and confirming the version is 14.2.31+ or 15.4.5+.

Verification Steps

  1. Run `npm list next` or `cat package.json | grep '"next"'` to confirm the installed version.
  2. Check the running version in production via `/_next/static/chunks/` build manifests or your deployment platform's dependency view.
  3. If you have header-dependent image routes, test that a request without valid auth credentials does not return a previously cached authenticated image (e.g., use `curl` with and without a valid session cookie against a `/_next/image?url=...` endpoint).
  4. Confirm `.next/cache/images` has been cleared and repopulated post-deploy.

Code Examples (json)

Vulnerable
// package.json — vulnerable version
{
  "dependencies": {
    "next": "12.3.1"
  }
}
Fixed
// package.json — patched version (14.x line)
{
  "dependencies": {
    "next": "14.2.31"
  }
}

// Or for the 15.x line:
{
  "dependencies": {
    "next": "15.4.5"
  }
}

Best Practices

  • Never use Next.js Image Optimization (the `<Image>` component or `/_next/image` endpoint) to serve images whose content varies by user session or authorization state — serve those directly from your API with proper cache-control headers (`Cache-Control: private, no-store`).
  • When building image-serving API routes that depend on auth headers, explicitly set `Cache-Control: private, no-store` on the response to prevent any intermediate cache from storing the result.
  • Pin your Next.js version in `package.json` and use a dependency audit tool (e.g., `npm audit`, Dependabot, or Snyk) to receive automated alerts for future security patches.
  • After any security-related upgrade, clear your application's image cache directory (`.next/cache/images`) before redeploying to ensure stale cached content is not served.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base