Source Code Exposure in Next.js Framework by Vercel
CVE-2025-48068

2.3LOW

Key Information:

Vendor: Vercel
Status: Next.js
Vendor: CVE Published:; 30 May 2025

What is CVE-2025-48068?

Next.js is a popular React framework designed for creating full-stack web applications. A vulnerability affects versions starting from 13.0 up to, but not including, 15.2.2, which may lead to limited exposure of source code in local development environments when the development server is running with the App Router feature enabled. The vulnerability occurs only when the user visits a malicious webpage while running 'npm run dev'. This issue has been addressed and remedied in version 15.2.2.

Affected Version(s)

next.js >= 13.0, < 14.2.30 < 13.0, 14.2.30

next.js >= 15.0.0, < 15.2.2 < 15.0.0, 15.2.2

References

https://github.com/vercel/next.js/security/advisories/GHS...

x_refsource_CONFIRM

https://vercel.com/changelog/cve-2025-48068

x_refsource_MISC

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 30, 2025
Vulnerability Reserved
May 15, 2025