Next.js Cache Key Confusion Vulnerability in Image Optimization API Routes

A cache key confusion vulnerability has been identified in the Next.js Image Optimization API routes, affecting versions prior to 14.2.31 and from 15.0.0 to before 15.4.5. This vulnerability arises when images served through API routes vary based on request headers such as Cookie or Authorization. In such cases, the responses could be improperly cached and inadvertently delivered to unauthorized users. The issue has been resolved in Next.js versions 14.2.31 and 15.4.5.

Impact

Exploitation of this vulnerability could lead to unauthorized access to user-specific or protected image content, allowing for cross-user leakage of conditional content via CDN or internal cache.

Reproduction

To reproduce this vulnerability, use a version of Next.js that is affected by this issue and enable image optimization. Create an API route that serves images based on request headers like Cookie or Authorization. When an image is requested, the response will be cached without considering the headers, leading to potential unauthorized access when the image is served from the cache.

Remediation

Users should upgrade to Next.js versions 14.2.31 or 15.4.5.