Vulnerability identifier: #VU109922
Vulnerability risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-1385
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Next.js
Server applications /
Frameworks for developing and running applications
Vendor: Zeit
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to missing origin validation on the WebSocket interface if the project uses the App Router. When running next dev, a malicious website can open a WebSocket connection to localhost and access component source code.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Next.js: before
External links
https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r
https://vercel.com/changelog/cve-2025-48068
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.