Listen to this Post
The CVE-2025-41094 vulnerability is a cache key confusion issue within the Next.js Image Optimization API. The flaw occurs when an API route serves images dynamically based on specific request headers, such as ‘Cookie’ or ‘Authorization’. The image optimization cache mechanism incorrectly generates its cache key. It fails to incorporate these critical, varying headers into the key. Consequently, the first user’s request sets the cache key based only on the URL and a default set of headers, omitting the sensitive ones. This results in a single cached image response. All subsequent users requesting the same image URL, regardless of their different authorization headers, are served the same initially cached image. This leads to unauthorized users potentially viewing images intended for an authenticated user.
Platform: Next.js
Version: <15.4.5, <14.2.31
Vulnerability: Cache Poisoning
Severity: Moderate
date: 2025-08-29
Prediction: Patch Released
What Undercode Say:
`curl -H “Cookie: session=abc” http://site.com/api/protected-img`
`curl -H “Cookie: session=xyz” http://site.com/api/protected-img` Returns cached image from first request
How Exploit:
Craft requests to protected image API routes. Observe cached responses served to unauthorized sessions lacking the original headers.
Protection from this CVE:
Upgrade to v15.4.5 or v14.2.31. The patch modifies the cache key generation algorithm to include all relevant headers, ensuring responses are segmented by user session.
Impact:
Unauthorized Data Access. Sensitive images served from API routes can be viewed by users without proper credentials due to improper cache isolation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
