CVE-2025-48068

LOW EPSS 6.2%

Published May 30, 20251y ago · Modified Jun 17, 20261w ago

2.3 CVSS 4.0

Low

Published May 30, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in versions 14.2.30 and 15.2.2.

CVSS Details

Base Score

2.3

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction P

Scope X

Threat Intelligence

EPSS Exploit Probability

6.2% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-1385

Affected Products 2

Vendor	Product	Version	Range
vercel	next.js	*	≥13.0.0 – <14.2.30
vercel	next.js	*	≥15.0.0 – <15.2.2

References 2

github.com https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r

Vendor Advisory
vercel.com https://vercel.com/changelog/cve-2025-48068

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.