2369320 – (CVE-2025-48068) CVE-2025-48068 next.js: Information exposure in Next.js dev server due to lack of origin verification

Bug 2369320 (CVE-2025-48068) - CVE-2025-48068 next.js: Information exposure in Next.js dev server due to lack of origin verification

Summary: CVE-2025-48068 next.js: Information exposure in Next.js dev server due to lac...

Keywords:
Status:	NEW
Alias:	CVE-2025-48068
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2369394 2369396 2369398 2369400 2369391 2369392 2369393 2369395 2369397 2369399
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-30 04:01 UTC by OSIDB Bzimport
Modified:	2025-05-30 13:04 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-05-30 04:01:21 UTC

Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in version 15.2.2.

Note You need to log in before you can comment on or make changes to this bug.