CVE-2025-48068

Aaron BrownHead of Security

2 min read

A low-severity vulnerability in the Next.js dev server has been addressed.

Summary

This vulnerability affects Next.js versions 13.0.0 through 14.2.29 and 15.0.0 through 15.2.1. It includes two related issues affecting the local development server: Cross-Site WebSocket Hijacking (CSWSH) and Cross-Origin Script Inclusion. Both stem from the lack of origin validation on development server resources.

Impact

When running next dev, a malicious website can:

  • Initiate a WebSocket connection to localhost and interact with the local development server if the project uses the App Router, potentially exposing internal component code.

  • Inject a <script> tag referencing predictable paths for development scripts (e.g., /app/page.js), which are then executed in the attacker's origin. This can allow extraction of source code

The root cause is insufficient origin verification on local development server resources, including the WebSocket server and static script endpoints.

This issue is similar to CVE-2018-14732, though scoped strictly to local development use.

Resolution

This issue was fixed in Next.js versions 14.2.30 and 15.2.2. These releases introduce a configuration option to enable origin checks, which help prevent unauthorized cross-origin requests to the local development server. You can learn how to enable this option after upgrading to a patched version by visiting our documentation page. Note that this configuration is currently opt-in and will become the default in a future major release.

Workarounds

  • Avoid browsing untrusted websites while running the local development server

  • Implement local firewall or proxy rules to block unauthorized access to the development server

For Vercel Customers

This CVE affects local development, no mitigation are required for applications in production on Vercel.

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

References