Strix
26.1K

CVE-2025-48068

LOWCVSS 2.3/10EPSS 0.17%

Last modified

CVE-2025-48068 is a low-severity vulnerability rated 2.3/10 on the CVSS scale. Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. EPSS estimates a 0.17% chance of exploitation in the next 30 days.

Description

Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in versions 14.2.30 and 15.2.2.

Metrics

CVSS 3.1
4.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS 4.0
2.3/10

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability
0.17%

6.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
VercelNext.Js>= 13.0.0, < 14.2.30
VercelNext.Js>= 15.0.0, < 15.2.2

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2025-48068?
Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in versions 14.2.30 and 15.2.2.
How severe is CVE-2025-48068?
CVE-2025-48068 has a CVSS score of 2.3/10 (LOW severity). The EPSS model estimates a 0.17% probability of exploitation in the next 30 days.
How do I fix CVE-2025-48068?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-48068?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST