Plateforme
nodejs
Composant
next
Corrigé dans
13.0.1
15.0.1
15.2.2
A low-severity vulnerability (CVE-2025-48068) has been identified and addressed in Next.js version 15.2.2. This issue potentially allows for limited source code exposure within local development environments when the App Router is active. The vulnerability requires a user to visit a malicious webpage while npm run dev is running, impacting developers using Next.js for local development.
The primary impact of CVE-2025-48068 is the potential exposure of source code during local development. An attacker could craft a malicious webpage that, when visited while the Next.js development server is running, triggers the exposure of portions of the application's source code. While the scope is limited to the developer's machine and local environment, this could reveal sensitive information such as API keys, database credentials (if hardcoded), or proprietary algorithms. The risk is significantly reduced as it requires active development and a user visiting a malicious site.
CVE-2025-48068 is currently not listed on KEV. The CVSS score of 2.5 (LOW) indicates a relatively low probability of exploitation. No public proof-of-concept (POC) code has been publicly released as of the publication date. There are no indications of active campaigns targeting this vulnerability. The vulnerability was published on 2025-05-28.
Statut de l'Exploit
EPSS
0.04% (percentile 12%)
CISA SSVC
The recommended mitigation for CVE-2025-48068 is to upgrade to Next.js version 15.2.2 or later. Due to potential breaking changes in development configurations, simply upgrading might not be sufficient. After upgrading, you must configure the allowedDevOrigins setting in your next.config.js file to explicitly define which origins are permitted to access the development server. This restricts the potential for malicious origins to trigger the vulnerability. Refer to the Next.js documentation for detailed instructions on configuring allowedDevOrigins. After upgrade and configuration, confirm by attempting to access the development server from an unauthorized origin; it should be blocked.
Actualice Next.js a la versión 14.2.30 o superior si está utilizando la serie 14.x, o a la versión 15.2.2 o superior si está utilizando la serie 15.x. Esto solucionará la vulnerabilidad de exposición de información en el servidor de desarrollo. Ejecute `npm update next` o `yarn upgrade next` para actualizar a la versión corregida.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-48068 is a low-severity vulnerability in Next.js affecting versions before 15.2.2. It allows limited source code exposure in local development environments when the App Router is enabled, requiring a user to visit a malicious webpage.
You are affected if you are using Next.js version 15.2.2 or earlier and have the App Router enabled in your development environment. Developers using older versions are at higher risk.
Upgrade to Next.js version 15.2.2 or later. After upgrading, configure the allowedDevOrigins setting in your next.config.js file to restrict access to the development server.
As of the publication date, there are no indications of active exploitation or public proof-of-concept code for CVE-2025-48068.
Refer to the Next.js documentation for details on the vulnerability and mitigation steps: https://nextjs.org/docs/ap
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.