Information exposure in Next.js dev server due to lack of origin verification

GHSA-3h52-269p-cp9r · CVE-2025-48068

Published May 28, 2025 · Modified Jun 13, 2025

Description

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

References

WEB https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-48068
PACKAGE https://github.com/vercel/next.js
WEB https://vercel.com/changelog/cve-2025-48068

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes