CVE-2025-48068
published 2025-05-30CVE-2025-48068: Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js…
PriorityP420medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
EPSS
0.17%
6.1th percentile
Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in versions 14.2.30 and 15.2.2.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 13.0 < 14.2.30 | 14.2.30 |
| next | next | >= 15.0.0 < 15.2.2 | 15.2.2 |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | >= 13.0.0 < 14.2.30 | 14.2.30 |
| vercel | next.js | >= 15.0.0 < 15.2.2 | 15.2.2 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat2.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
next.js: Information exposure in Next.js dev server due to lack of origin verification
vendor_redhat·2025-05-30·CVSS 2.3
CVE-2025-48068 [LOW] CWE-1385 next.js: Information exposure in Next.js dev server due to lack of origin verification
next.js: Information exposure in Next.js dev server due to lack of origin verification
Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in versions 14.2.30 and 15.2.2.
A flaw was found in Next.js. This vulnerability allows limited source code exposure via visiting a malicious webpage while the development server is running with the App Router enabled.
Mitigation: Mitigation for this issue is either not availa
OSV
Information exposure in Next.js dev server due to lack of origin verification
osv·2025-05-28
CVE-2025-48068 [LOW] Information exposure in Next.js dev server due to lack of origin verification
Information exposure in Next.js dev server due to lack of origin verification
## Summary
A low-severity vulnerability in **Next.js** has been fixed in **version 15.2.2**. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while `npm run dev` is active.
Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure `allowedDevOrigins` in your next config after upgrading to a patched version. [Learn more](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins).
Learn more: https://vercel.com/changelog/cve-2025-48068
## Cr
GHSA
Information exposure in Next.js dev server due to lack of origin verification
ghsa·2025-05-28
CVE-2025-48068 [LOW] CWE-1385 Information exposure in Next.js dev server due to lack of origin verification
Information exposure in Next.js dev server due to lack of origin verification
## Summary
A low-severity vulnerability in **Next.js** has been fixed in **version 15.2.2**. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while `npm run dev` is active.
Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure `allowedDevOrigins` in your next config after upgrading to a patched version. [Learn more](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins).
Learn more: https://vercel.com/changelog/cve-2025-48068
## Cr
No detection rules found.
No public exploits indexed.
2025-05-30
Published