Information Disclosure in Flags SDK for Next.js and SvelteKit by Vercel
CVE-2025-46332

6.5MEDIUM

Key Information:

Vendor

Vercel
Status
Flags
Vendor
CVE Published:
2 May 2025

What is CVE-2025-46332?

Flags SDK, a popular open-source feature flags toolkit for Next.js and SvelteKit, has a vulnerability in versions up to 3.2.0 and @vercel/flags up to 3.1.1. This issue allows attackers who are knowledgeable about the vulnerability to exploit the flags discovery endpoint (.well-known/vercel/flags), potentially revealing sensitive information. By leveraging this vulnerability, an unauthorized user could access a comprehensive list of feature flags, along with their names, descriptions, options, labels (such as true/false), and default values. Users are advised to update to [email protected] immediately to mitigate this risk.

Affected Version(s)

flags < 4.0.0

References

https://github.com/vercel/flags/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/vercel/flags/blob/main/packages/flags/...
x_refsource_MISC
https://vercel.com/changelog/information-disclosure-in-fl...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.