GHSA-892p-pqrr-hxqr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-892p-pqrr-hxqr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-892p-pqrr-hxqr/GHSA-892p-pqrr-hxqr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-892p-pqrr-hxqr
- Aliases
-
- CVE-2025-46332
- Published
- 2025-05-02T19:28:40Z
- Modified
- 2025-05-02T19:57:14.024114Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Information Disclosure via Flags override link
- Details
-
Summary
An information disclosure vulnerability affecting Flags SDK has been addressed. It impacted
flags≤3.2.0 and@vercel/flags≤3.1.1 and in certain circumstances, allowed a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (.well-known/vercel/flags).Impact
This vulnerability allowed for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the flags discovery endpoint, including the:
- Flag names
- Flag descriptions
- Available options and their labels (e.g.
true,false) - Default flag values
Not impacted:
- Flags providers were not accessible
No write access nor additional customer data was exposed, this is limited to just the values noted above. Vercel has automatically mitigated this incident on behalf of our customers for the default flags discovery endpoint at
.well-known/vercel/flags. Flags Explorer will be disabled and show a warning notice until upgraded toflags@4.0.0.Resolution
The
verifyAccessfunction was patched withinflags@4.0.0.Users of
@vercel/flagsshould also migrate toflags@4.0.0.For further guidance on upgrading your version, please see our upgrade guide.
Mitigations
Vercel implemented a network-level mitigation to prevent the default flags discovery endpoint at
/.well-known/vercel/flagsbeing reachable, which automatically protects Vercel deployments against exploitation of this issue. Users need to upgrade toflags@4.0.0to re-enable the Flags Explorer.This automatic mitigation is not effective in two scenarios:
- When using the Flags SDK on Pages Router, as the original non-rewritten route would still be accessible, e.g.
/api/vercel/flags. - When using a custom path for the flags discovery endpoint.
If you are not protected by the Vercel default mitigation you can temporarily deny access to the other exposed flags discovery endpoints through a custom WAF rule while you upgrade to the latest version.
References
- https://vercel.com/changelog/information-disclosure-in-flags-sdk-cve-2025-46332
- https://github.com/vercel/flags/blob/main/packages/flags/guides/upgrade-to-v4.md
- Database specific
{ "nvd_published_at": "2025-05-02T17:15:52Z", "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-05-02T19:28:40Z" }- References
-
- https://github.com/vercel/flags/security/advisories/GHSA-892p-pqrr-hxqr
- https://nvd.nist.gov/vuln/detail/CVE-2025-46332
- https://github.com/vercel/flags
- https://github.com/vercel/flags/blob/main/packages/flags/guides/upgrade-to-v4.md
- https://vercel.com/changelog/information-disclosure-in-flags-sdk-cve-2025-46332
Affected packages
npm / flags
Package
- Name
- flags
- View open source insights on deps.dev
- Purl
- pkg:npm/flags
npm / @vercel/flags
Package
- Name
- @vercel/flags
- View open source insights on deps.dev
- Purl
- pkg:npm/%40vercel/flags