Information disclosure in Flags SDK (CVE-2025-46332)

Vercel discovered and patched an information disclosure vulnerability in the Flags SDK, affecting versions:

• 
  flags ≤ 3.2.0
  
  
• 
  @vercel/flags ≤ 3.1.1
  

This is being tracked as CVE-2025-46332. We have published an automatic mitigation for the default configuration of the Flags SDK on Vercel.

We recommend upgrading to flags@4.0.0 (or migrating from @vercel/flags to flags) to remediate the issue. Further guidance can be found in the upgrade guide.

Impact and Analysis​

A malicious actor could determine the following under specific conditions:

• 
  Flag names
  
  
• 
  Flag descriptions
  
  
• 
  Available options and their labels (e.g. true, false)
  
  
• 
  Default flag values
  

Flags providers were not accessible. No write access nor additional customer data was exposed, this is limited to the values noted above.

Automatic Mitigation​

Vercel implemented a network-level mitigation to prevent the default flags discovery endpoint at /.well-known/vercel/flags being reachable, which automatically protects Vercel deployments against exploitation of this issue.

While uncommon, if you are exposing the flags discovery endpoint through custom paths, you can also implement a custom WAF rule to restrict access to these endpoints as a mitigation, for example when using:

• 
  Pages Router, as the original non-rewritten route would still be accessible, e.g. /api/vercel/flags.
  
  
• 
  Microfrontends, as each application may use a distinct flags discovery endpoint.
  

Recommendations​

We recommend that all users upgrade to flags@4.0.0. Flags Explorer will be disabled and show a warning notice until you upgrade to the latest version.

More information can be found in the upgrade guide.

Read more

Continue reading...