Information exposure in Next.js dev server due to lack of origin verification

🗓️ 28 May 2025 21:52:13Reported by GitHub Advisory DatabaseType

Next.js server allows code exposure through Cross-site WebSocket attacks when run locally.

Reporter	Title	Published	Views	Family All 18
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Event Processing	30 Dec 202512:59	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security QRadar Network Threat Analytics app for IBM QRadar SIEM includes a component with known vulnerabilities (CVE-2025-29927 & CVE-2025-48068)	23 Oct 202513:11	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security QRadar Network Threat Analytics app for IBM QRadar SIEM includes components with known vulnerabilities	19 Dec 202521:13	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Watsonx BI Assistant for CP4D	11 Mar 202617:12	–	ibm
IBM Security Bulletins	Security Bulletin: IBM InfoSphere Optim Archive Viewer is affected by a vulnerability in Next.js (CVE-2025-48068)	30 May 202608:58	–	ibm
Circl	CVE-2025-48068	29 May 202512:34	–	circl
CNNVD	Next.js 安全漏洞	30 May 202500:00	–	cnnvd
CVE	CVE-2025-48068	30 May 202503:37	–	cve
Cvelist	CVE-2025-48068 Information exposure in Next.js dev server due to lack of origin verification	30 May 202503:37	–	cvelist
EUVD	EUVD-2025-16359	3 Oct 202520:07	–	euvd

Vulners

Node

next nextRange13.0–14.2.30npm

next nextRange15.0.0–15.2.2npm

Source	Link
github	www.github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r
vercel	www.vercel.com/changelog/cve-2025-48068
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-48068
github	www.github.com/advisories/GHSA-3h52-269p-cp9r

13 Jun 2025 14:41Current

4.5Medium risk

Vulners AI Score4.5

CVSS 3.14.3

CVSS 42.3

EPSS0.00101

SSVC