next up to 15.1.6 Next.js Dev Server missing origin validation in websockets

Summaryinfo

A vulnerability marked as problematic has been reported in next. This vulnerability affects unknown code of the component Next.js Dev Server. This manipulation causes missing origin validation in websockets. The identification of this vulnerability is CVE-2025-48068. It is possible to initiate the attack remotely. There is no exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in next. It has been declared as problematic. Affected by this vulnerability is an unknown code of the component Next.js Dev Server. The manipulation with an unknown input leads to a missing origin validation in websockets vulnerability. The CWE definition for the vulnerability is CWE-1385. The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. As an impact it is known to affect confidentiality. The summary by CVE is:

Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in version 15.2.2.

The advisory is shared at github.com. This vulnerability is known as CVE-2025-48068 since 05/15/2025. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available.

Upgrading to version 15.2.2 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2025-16359). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Name

• next

Version

• 0.0.1
• 1.2.0
• 1.2.1
• 1.3.0
• 1.3.101.11
• 1.5.0
• 1.5.2
• 1.6.0
• 1.6.2
• 1.7.10.243
• 1.9.0
• 1.28.1
• 2.0
• 2.0(1.68)
• 2.0(1.115)
• 2.4.1
• 2.12.1
• 2.12.4
• 3.0.1
• 3.0.11
• 3.1(1k)A
• 3.3.0
• 3.29.2
• 3.c
• 4.0
• 4.0.2
• 4.07
• 4.1.2
• 4.2.3
• 4.3.1
• 4.3.2
• 4.24.5
• 5.0
• 5.0.0
• 5.0.1
• 5.0.2
• 5.0.3
• 5.5
• 5.5R8P23
• 6.0
• 6.0.0
• 6.0.1
• 6.0.2
• 6.0.2. 6.0.6
• 6.0.3
• 6.0.4
• 6.0.5
• 6.0.6
• 6.0.6.1
• 6.0.61
• 6.02
• 6.06
• 6.3.5
• 6.10.13
• 7.0
• 7.0.0
• 7.0.1
• 7.0.2
• 7.0.3
• 7.1
• 7.1.1
• 7.1.2
• 8.0.17
• 9.3.2
• 9.5.0
• 9.5.1
• 9.5.2
• 9.5.3
• 9.5.4
• 11.1.0
• 11.1.1
• 11.1.3
• 11.5.0
• 12.0.4
• 12.0.5
• 12.0.9
• 12.1.0
• 12.2.4
• 12.3.5
• 13.4.20-canary.13
• 13.5.0
• 13.5.1
• 13.5.7
• 13.5.8
• 13.5.9
• 14.1.1
• 14.2.7
• 14.2.9
• 14.2.10
• 14.2.15
• 14.2.20
• 14.2.21
• 14.2.24
• 14.2.25
• 15.1.1
• 15.1.2
• 15.1.5
• 15.1.6

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion