CVE-2025-46332

MEDIUM

flags < 4.0.0 and @vercel/flags < 4.0.0 - Unauthenticated Exposure of Sensitive Information via Discovery Endpoint

Title source: llm

Description

Flags SDK is an open-source feature flags toolkit for Next.js and SvelteKit. Impacted versions include flags from 3.2.0 and prior and @vercel/flags from 3.1.1 and prior as certain circumstances allows a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (.well-known/vercel/flags). This vulnerability allows for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the flags discovery endpoint, including the flag names, flag descriptions, available options and their labels (e.g. true, false), and default flag values. This issue has been patched in [email protected], users of flags and @vercel/flags should also migrate to [email protected].

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/vercel/flags/security/advisories/GHSA-892p-pqrr-hxqr

Various Sources x_refsource_misc

https://github.com/vercel/flags/blob/main/packages/flags/guides/upgrade-to-v4.md

View Writeup ZIP pw:eip

Various Sources x_refsource_misc

https://vercel.com/changelog/information-disclosure-in-flags-sdk-cve-2025-46332

Scores

CVSS v3 6.5

EPSS 0.0029

EPSS Percentile 52.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (3)

npm/flags 0 - 4.0.0npm

vercel/flags 0npm

vercel/flags < 4.0.0

Published May 02, 2025

Tracked Since Feb 18, 2026