Link to headingSummary
A vulnerability affecting Next.js Image Optimization has been addressed. It impacted versions prior to v15.4.5 and v14.2.31, and involved a cache poisoning issue that caused sensitive image responses from API routes to be cached and subsequently served to unauthorized users.
Vercel deployments were never impacted by this vulnerability.
Link to headingImpact
When API routes are used to return image content that varies based on headers (e.g., Cookie, Authorization), and those images are passed through Next.js Image Optimization, the optimized image may be cached without including those request headers as part of the cache key. This can lead to:
Unauthorized disclosure of user-specific or protected image content
Cross-user leakage of conditional content via CDN or internal cache
This issue arises without user interaction and requires no elevated privileges, only a prior authorized request to populate the cache.
Link to headingResolution
The issue was resolved by ensuring request headers aren’t forwarded to the request that is proxied to the image endpoint. This ensures that the image endpoint cannot be used to serve images that require authorization data and thus cannot be cached.
Fix available in:
Next.js v15.4.5
Next.js v14.2.31
Link to headingCredit
Thanks to reddounsf for the responsible disclosure.