CVE-2025-48068: 
ASP.NET Core vulnerability analysis and mitigation

CVE-2025-48068 is a low-severity vulnerability affecting Next.js dev server versions 13.0 through 15.2.2. The vulnerability was discovered and disclosed on May 28, 2025, impacting applications using the App Router feature. This security flaw is similar to CVE-2018-14732 and involves a Cross-site WebSocket hijacking (CSWSH) attack vulnerability in the WebSocket server when running locally (GitHub Advisory).

The vulnerability stems from a lack of origin verification in the Next.js development server's WebSocket implementation. When running a Next.js server locally (e.g., through npm run dev), the WebSocket server becomes vulnerable to Cross-site WebSocket hijacking attacks. The issue specifically affects applications using App Router, which was experimental and required experimental.appDir = true in versions 13.0.0 to 13.4. The vulnerability has been assigned a CVSS v4 score of 2.3 (Low severity) with the following vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N (GitHub Advisory).

If exploited, this vulnerability allows malicious websites to access the source code of client components in a Next.js application when a user visits the malicious site while running the Next.js dev server locally. The impact is limited to development environments and requires active user interaction. There is no impact on production deployments (GitHub Advisory).

The vulnerability has been patched in Next.js version 15.2.2. Users are advised to upgrade to this version or later to address the security issue. The fix was released on May 28, 2025 (GitHub Advisory).

The vulnerability was responsibly disclosed by security researchers sapphi-red and Radman Siddiki. Vercel, the company behind Next.js, has documented the vulnerability in their changelog and assigned it a low severity rating (GitHub Advisory).