A low-severity vulnerability in the Next.js dev server has been addressed.
This affects versions
When running
This issue is similar to CVE-2018-14732, though scoped strictly to local development use.
This issue was fixed in Next.js version
This CVE affects local development, no mitigation are required for applications in production on Vercel.
Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.
Read more
Continue reading...
Summary
This affects versions
13.0.0 through <15.2.2 when using the App Router and involves Cross-site WebSocket hijacking (CSWSH) to perform the exploit.Impact
When running
next dev, a malicious website can open a WebSocket connection to localhost and access component source code if the project uses the App Router. The root cause is a lack of origin verification on the WebSocket interface.This issue is similar to CVE-2018-14732, though scoped strictly to local development use.
Resolution
This issue was fixed in Next.js version
15.2.2, which introduces origin checks to prevent unauthorized WebSocket connections during development.Workarounds
Avoid browsing untrusted websites while running the local development server
Implement local firewall or proxy rules to block unauthorized WebSocket access to
localhost
UseallowedDevOriginsto upgrade and get the patch, but still allow some origins to connect if you need backwards compatibility https://github.com/vercel/next.js/pull/76880
For Vercel Customers
This CVE affects local development, no mitigation are required for applications in production on Vercel.
Credit
Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.
References
Read more
Continue reading...