CVE-2025-46332— Information Disclosure via Flags override link

Information Disclosure via Flags override link

Flags SDK is an open-source feature flags toolkit for Next.js and SvelteKit. Impacted versions include flags from 3.2.0 and prior and @vercel/flags from 3.1.1 and prior as certain circumstances allows a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (.well-known/vercel/flags). This vulnerability allows for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the flags discovery endpoint, including the flag names, flag descriptions, available options and their labels (e.g. true, false), and default flag values. This issue has been patched in flags@4.0.0, users of flags and @vercel/flags should also migrate to flags@4.0.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

信息暴露

Flags SDK 信息泄露漏洞

Flags SDK是Vercel开源的一个Vercel的Flags SDK。 Flags SDK 3.2.0及之前版本和@vercel/flags 3.1.1及之前版本存在信息泄露漏洞，该漏洞源于信息泄露，可能导致访问功能标志列表。

N/A

N/A