CVE-2025-46332

Name of the Vulnerable Software and Affected Versions Flags versions 3.2.0 and prior @vercel/flags versions 3.1.1 and prior

Description The issue allows for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the "flags discovery endpoint" (.well-known/vercel/flags), including the flag names, flag descriptions, available options and their labels, and default flag values. This can occur if a bad actor has detailed knowledge of the vulnerability.

Recommendations For Flags versions 3.2.0 and prior, update to flags@4.0.0 to resolve the issue. For @vercel/flags versions 3.1.1 and prior, migrate to flags@4.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the .well-known/vercel/flags endpoint until the update to flags@4.0.0 is applied.