We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-46332

Information Disclosure via Flags override link



Description

Flags SDK is an open-source feature flags toolkit for Next.js and SvelteKit. Impacted versions include flags from 3.2.0 and prior and @vercel/flags from 3.1.1 and prior as certain circumstances allows a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (.well-known/vercel/flags). This vulnerability allows for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the flags discovery endpoint, including the flag names, flag descriptions, available options and their labels (e.g. true, false), and default flag values. This issue has been patched in flags@4.0.0, users of flags and @vercel/flags should also migrate to flags@4.0.0.

Reserved 2025-04-22 | Published 2025-05-02 | Updated 2025-05-02 | Assigner GitHub_M


MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

< 4.0.0
affected

References

github.com/.../flags/security/advisories/GHSA-892p-pqrr-hxqr

github.com/...ob/main/packages/flags/guides/upgrade-to-v4.md

vercel.com/...rmation-disclosure-in-flags-sdk-cve-2025-46332

cve.org (CVE-2025-46332)

nvd.nist.gov (CVE-2025-46332)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-46332

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.