CVE-2025-57752: Next.js Affected by Cache Key Confusion for Image Optimization API Routes

The vulnerability lies in the Next.js Image Optimizer's handling of images served from internal API routes. When these API routes produce different image content based on request headers (e.g., Cookie for session-based access or Authorization for token-based access), the optimizer's cache fails to differentiate between these variations. The root cause was identified in the fetchInternalImage function within packages/next/src/server/image-optimizer.ts. This function was forwarding the incoming request's headers to the internal API route, causing the route to generate a user-specific image. However, the resulting optimized image was stored in the cache using a key that did not include the headers that influenced the image content. Consequently, subsequent requests for the same image URL from different users would receive the cached, potentially sensitive, image. The security patch addresses this by removing the headers: _req.headers, line, thereby preventing the user-specific headers from being passed to the internal API route during the image fetch operation. This ensures that the generated image is generic and safe to be served from the cache to any user.