2 min read
A low-severity vulnerability in the Next.js dev server has been addressed.
Link to headingSummary
This vulnerability affects Next.js versions 13.0.0 through 14.2.29 and 15.0.0 through 15.2.1. It includes two related issues affecting the local development server: Cross-Site WebSocket Hijacking (CSWSH) and Cross-Origin Script Inclusion. Both stem from the lack of origin validation on development server resources.
Link to headingImpact
When running next dev
, a malicious website can:
Initiate a WebSocket connection to
localhost
and interact with the local development server if the project uses the App Router, potentially exposing internal component code.Inject a
<script>
tag referencing predictable paths for development scripts (e.g.,/app/page.js
), which are then executed in the attacker's origin. This can allow extraction of source code
The root cause is insufficient origin verification on local development server resources, including the WebSocket server and static script endpoints.
This issue is similar to CVE-2018-14732, though scoped strictly to local development use.
Link to headingResolution
This issue was fixed in Next.js versions 14.2.30
and 15.2.2
. These releases introduce a configuration option to enable origin checks, which help prevent unauthorized cross-origin requests to the local development server. You can learn how to enable this option after upgrading to a patched version by visiting our documentation page. Note that this configuration is currently opt-in and will become the default in a future major release.
Link to headingWorkarounds
Avoid browsing untrusted websites while running the local development server
Implement local firewall or proxy rules to block unauthorized access to the development server
Link to headingFor Vercel Customers
This CVE affects local development, no mitigation are required for applications in production on Vercel.
Link to headingCredit
Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.