Information Disclosure via Flags override link

May 2, 2025 invoker category_cve

Vulnerability Details

Basic Information

Title Information Disclosure via Flags override link
Type github
Published 2025-05-02T19:28:40
Last Seen 2025-05-02T21:44:12
CVSS Score 6.5 (MEDIUM)

CVSS v3 Details

Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact LOW
Availability Impact NONE

CVE Information

CVE IDs CVE-2025-46332
CWE CWE-200
Bulletin Family software

Description

## Summary

An information disclosure vulnerability affecting Flags SDK has been addressed. It impacted `flags` ≤3.2.0 and `@vercel/flags` ≤3.1.1 and in certain circumstances, allowed a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (`.well-known/vercel/flags`).

## Impact

This vulnerability allowed for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the flags discovery endpoint, including the:

– Flag names
– Flag descriptions
– Available options and their labels (e.g. `true`, `false`)
– Default flag values

Not impacted:

– Flags providers were not accessible

No write access nor additional customer data was exposed, this is limited to just the values noted above. Vercel has automatically mitigated this incident on behalf of our customers for the default flags discovery endpoint at `.well-known/vercel/flags`. Flags Explorer will be disabled and show a warning notice until upgraded to `[email protected]`.

## Resolution

The `verifyAccess` function was patched within `[email protected]`.

Users of `@vercel/flags` should also migrate to `[email protected]`.

For further guidance on upgrading your version, please see our [upgrade guide](https://github.com/vercel/flags/blob/main/packages/flags/guides/upgrade-to-v4.md).

## Mitigations

Vercel implemented a network-level mitigation to prevent the default flags discovery endpoint at `/.well-known/vercel/flags` being reachable, which automatically protects Vercel deployments against exploitation of this issue. Users need to upgrade to `[email protected]` to re-enable the Flags Explorer.

This automatic mitigation is not effective in two scenarios:

– When using the Flags SDK on Pages Router, as the original non-rewritten route would still be accessible, e.g. `/api/vercel/flags`.
– When using a custom path for the flags discovery endpoint.

If you are not protected by the Vercel default mitigation you can temporarily deny access to the other exposed flags discovery endpoints through a custom WAF rule while you upgrade to the latest version.

## References

– https://vercel.com/changelog/information-disclosure-in-flags-sdk-cve-2025-46332
– https://github.com/vercel/flags/blob/main/packages/flags/guides/upgrade-to-v4.md

Impact Assessment

Base Score 6.5
Severity MEDIUM

View full CVE details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.