CVE-2025-48068: Information exposure in Next.js dev server due to lack of origin verification

2.3 CVSS

Description

Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in version 15.2.2.

Classification

CVE ID: CVE-2025-48068

CVSS Base Severity: LOW

CVSS Base Score: 2.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Problem Types

CWE-1385: Missing Origin Validation in WebSockets

Affected Products

Vendor: vercel

Product: next.js

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.29% (scored less or equal to compared to others)

EPSS Date: 2025-05-30 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48068
https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r
https://vercel.com/changelog/cve-2025-48068

Timeline

2025-05-30 04:40:14 UTC
CVE

Information exposure in Next.js dev server due to lack of origin verification