Vercel discovered and patched an information disclosure vulnerability in the Flags SDK, affecting versions:
flags≤ 3.2.0@vercel/flags≤ 3.1.1
This is being tracked as CVE-2025-46332. We have published an automatic mitigation for the default configuration of the Flags SDK on Vercel.
We recommend upgrading to flags@4.0.0 (or migrating from @vercel/flags to flags) to remediate the issue. Further guidance can be found in the upgrade guide.
Link to headingImpact and analysis
A malicious actor could determine the following under specific conditions:
Flag names
Flag descriptions
Available options and their labels (e.g.
true,false)Default flag values
Flags providers were not accessible. No write access nor additional customer data was exposed, this is limited to the values noted above.
Link to headingAutomatic mitigation
Vercel implemented a network-level mitigation to prevent the default flags discovery endpoint at /.well-known/vercel/flags being reachable, which automatically protects Vercel deployments against exploitation of this issue.
While uncommon, if you are exposing the flags discovery endpoint through custom paths, you can also implement a custom WAF rule to restrict access to these endpoints as a mitigation, for example when using:
Pages Router, as the original non-rewritten route would still be accessible, e.g.
/api/vercel/flagsMicrofrontends, as each application may use a distinct flags discovery endpoint
Link to headingRecommendations
We recommend that all users upgrade to flags@4.0.0. Flags Explorer will be disabled and show a warning notice until you upgrade to the latest version.
More information can be found in the upgrade guide.