CVE-2025-46332

Published: May 2, 2025

Modified: May 2, 2025

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Flags SDK is an open-source feature flags toolkit for Next.js and SvelteKit. Impacted versions include flags from 3.2.0 and prior and @vercel/flags from 3.1.1 and prior as certain circumstances allows a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (.well-known/vercel/flags). This vulnerability allows for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the flags discovery endpoint, including the flag names, flag descriptions, available options and their labels (e.g. true, false), and default flag values. This issue has been patched in [email protected], users of flags and @vercel/flags should also migrate to [email protected].

Vendor	Product	Versions
vercel	flags	affected `< 4.0.0`

Weaknesses (CWE)

CWE-200

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/vercel/flags/security/advisories/GHSA-892p-pqrr-hxqr

x_refsource_CONFIRM

https://github.com/vercel/flags/blob/main/packages/flags/guides/upgrade-to-v4.md

x_refsource_MISC

https://vercel.com/changelog/information-disclosure-in-flags-sdk-cve-2025-46332

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-46332

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References