Link to heading Summary A vulnerability affecting Next.js Image Optimization has been addressed. It impacted versions prior to v15.4.5 and v14.2.31 , and involved a cache poisoning issue that caused sensitive image responses from API routes to be cached and subsequently served to unauthorized users. Vercel deployments were never impacted by this vulnerability. Link to heading Impact When API routes are used to return image content that varies based on headers (e.g., Cookie , Authorization ), and those images are passed through Next.js Image Optimization, the optimized image may be cached without including those request headers as part of the cache key. This can lead to: Unauthorized disclosure of user-specific or protected image content Cross-user leakage of conditional content via CDN or internal cache This issue arises without user interaction and requires no elevated privileges, only a prior authorized request to populate the cache.…