Main Vulnerability Database Vulnerabilities #VU109922

#VU109922 Missing Origin Validation in WebSockets in Next.js - CVE-2025-48068

Published: May 29, 2025

Vulnerability identifier: #VU109922

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-48068

CWE-ID: CWE-1385

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Next.js

Software vendor:
vercel

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to missing origin validation on the WebSocket interface if the project uses the App Router. When running next dev, a malicious website can open a WebSocket connection to localhost and access component source code.

Remediation

Install updates from vendor's website.

External links

https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r
https://vercel.com/changelog/cve-2025-48068

#VU109922 Missing Origin Validation in WebSockets in Next.js - CVE-2025-48068

Description

Remediation

External links

Please verify you're human