Main Vulnerability Database Vulnerabilities #VU109922

Missing Origin Validation in WebSockets in Next.js - CVE-2025-48068

Published: May 29, 2025

Vulnerability identifier: #VU109922

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-48068

CWE-ID: CWE-1385

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: vercel

Affected software:
Next.js

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to missing origin validation on the WebSocket interface if the project uses the App Router. When running next dev, a malicious website can open a WebSocket connection to localhost and access component source code.

How to mitigate CVE-2025-48068

Install updates from vendor's website.

Sources

https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r
https://vercel.com/changelog/cve-2025-48068

Missing Origin Validation in WebSockets in Next.js - CVE-2025-48068

Detailed vulnerability description

How to mitigate CVE-2025-48068

Sources

Please verify you're human