ghsa-892p-pqrr-hxqr
Vulnerability from github
Published
2025-05-02 19:28
Modified
2025-05-02 19:28
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Information Disclosure via Flags override link
Details

Summary

An information disclosure vulnerability affecting Flags SDK has been addressed. It impacted flags ≤3.2.0 and @vercel/flags ≤3.1.1 and in certain circumstances, allowed a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (.well-known/vercel/flags).

Impact

This vulnerability allowed for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the flags discovery endpoint, including the:

  • Flag names
  • Flag descriptions
  • Available options and their labels (e.g. true, false)
  • Default flag values

Not impacted:

  • Flags providers were not accessible

No write access nor additional customer data was exposed, this is limited to just the values noted above. Vercel has automatically mitigated this incident on behalf of our customers for the default flags discovery endpoint at .well-known/vercel/flags. Flags Explorer will be disabled and show a warning notice until upgraded to flags@4.0.0.

Resolution

The verifyAccess function was patched within flags@4.0.0.

Users of @vercel/flags should also migrate to flags@4.0.0.

For further guidance on upgrading your version, please see our upgrade guide.

Mitigations

Vercel implemented a network-level mitigation to prevent the default flags discovery endpoint at /.well-known/vercel/flags being reachable, which automatically protects Vercel deployments against exploitation of this issue. Users need to upgrade to flags@4.0.0 to re-enable the Flags Explorer.

This automatic mitigation is not effective in two scenarios:

  • When using the Flags SDK on Pages Router, as the original non-rewritten route would still be accessible, e.g. /api/vercel/flags.
  • When using a custom path for the flags discovery endpoint.

If you are not protected by the Vercel default mitigation you can temporarily deny access to the other exposed flags discovery endpoints through a custom WAF rule while you upgrade to the latest version.

References

  • https://vercel.com/changelog/information-disclosure-in-flags-sdk-cve-2025-46332
  • https://github.com/vercel/flags/blob/main/packages/flags/guides/upgrade-to-v4.md
Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flags"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@vercel/flags"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-02T19:28:40Z",
    "nvd_published_at": "2025-05-02T17:15:52Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nAn information disclosure vulnerability affecting Flags SDK has been addressed. It impacted `flags` \u22643.2.0 and `@vercel/flags` \u22643.1.1 and in certain circumstances, allowed a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (`.well-known/vercel/flags`).\n\n## Impact\n\nThis vulnerability allowed for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the flags discovery endpoint, including the:\n\n- Flag names\n- Flag descriptions\n- Available options and their labels (e.g. `true`, `false`)\n- Default flag values\n\nNot impacted:\n\n- Flags providers were not accessible\n\nNo write access nor additional customer data was exposed, this is limited to just the values noted above. Vercel has automatically mitigated this incident on behalf of our customers for the default flags discovery endpoint at `.well-known/vercel/flags`. Flags Explorer will be disabled and show a warning notice until upgraded to `flags@4.0.0`.\n\n## Resolution\n\nThe `verifyAccess` function was patched within `flags@4.0.0`. \n\nUsers of `@vercel/flags` should also migrate to `flags@4.0.0`.\n\nFor further guidance on upgrading your version, please see our [upgrade guide](https://github.com/vercel/flags/blob/main/packages/flags/guides/upgrade-to-v4.md).\n\n## Mitigations\n\nVercel implemented a network-level mitigation to prevent the default flags discovery endpoint at `/.well-known/vercel/flags` being reachable, which automatically protects Vercel deployments against exploitation of this issue. Users need to upgrade to `flags@4.0.0` to re-enable the Flags Explorer.\n\nThis automatic mitigation is not effective in two scenarios:\n\n- When using the Flags SDK on Pages Router, as the original non-rewritten route would still be accessible, e.g. `/api/vercel/flags`.\n- When using a custom path for the flags discovery endpoint.\n\nIf you are not protected by the Vercel default mitigation you can temporarily deny access to the other exposed flags discovery endpoints through a custom WAF rule while you upgrade to the latest version.\n\n## References\n\n- https://vercel.com/changelog/information-disclosure-in-flags-sdk-cve-2025-46332\n- https://github.com/vercel/flags/blob/main/packages/flags/guides/upgrade-to-v4.md",
  "id": "GHSA-892p-pqrr-hxqr",
  "modified": "2025-05-02T19:28:40Z",
  "published": "2025-05-02T19:28:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/flags/security/advisories/GHSA-892p-pqrr-hxqr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46332"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/flags"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/flags/blob/main/packages/flags/guides/upgrade-to-v4.md"
    },
    {
      "type": "WEB",
      "url": "https://vercel.com/changelog/information-disclosure-in-flags-sdk-cve-2025-46332"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Information Disclosure via Flags override link"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.