CVE-2025-48068

Name of the Vulnerable Software and Affected Versions Next.js versions 13.0.0 through 13.3.x Next.js versions 13.4 and earlier with experimental.appDir = true Next.js versions prior to 15.2.2

Description This issue is similar to a previously known vulnerability. When running a Next.js server locally, the WebSocket server is susceptible to Cross-site WebSocket hijacking (CSWSH) attacks. If a user visits a malicious link while the Next.js dev server is running, a bad actor may access the source code of client components. This affects applications using App Router, which was experimental in versions 13.0.0 to 13.3.x. The vulnerability allows an attacker to spy on dev activity and steal source code.

Recommendations For Next.js versions 13.0.0 through 13.3.x, update to version 15.2.2 or later to fix the issue. For Next.js versions 13.4 and earlier with experimental.appDir = true, update to version 15.2.2 or later to fix the issue. For Next.js versions prior to 15.2.2, update to version 15.2.2 or later to fix the issue. As a temporary workaround, consider disabling the next dev server when not in use to minimize the risk of exploitation.