npm - next - Versions - 15.2.2-canary.4 - Mend

next 15.2.2-canary.4

1 security vulnerability found in version 15.2.2-canary.4

Information exposure in Next.js dev server due to lack of origin verification

low severity CVE-2025-48068

Affected versions: >= 15.0.0, < 15.2.2

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

No license issues detected.

This package version has a license in the source code.

This package version is available.

This package version has not been yanked and is still available for usage.