Missing Origin Validation in WebSockets

CVE-2025-48068

Low

2.3/10

Summary

Next.js is a React framework for building full-stack web applications. In the next package, versions 13.0.0 through 15.2.2-canary.2 may have allowed limited source code exposure when the development server was running with the App Router enabled. This vulnerability only affects local development environments and requires the user to visit a malicious web page while npm run dev is active. The issue has been patched in version 15.2.2-canary.3.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-1385 - Missing Origin Validation in WebSockets

The software uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

References

Advisory
Release Note
Pull request

Advisory Timeline

Published May 30, 2025

Missing Origin Validation in WebSockets

CVE-2025-48068

Summary

CWE-1385 - Missing Origin Validation in WebSockets

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS