CVE-2025-46332: Information Disclosure via Flags override link
An information disclosure vulnerability affecting Flags SDK has been addressed. It impacted flags ≤3.2.0 and @vercel/flags ≤3.1.1 and in certain circumstances, allowed a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (.well-known/vercel/flags).
References
- github.com/advisories/GHSA-892p-pqrr-hxqr
- github.com/vercel/flags
- github.com/vercel/flags/blob/main/packages/flags/guides/upgrade-to-v4.md
- github.com/vercel/flags/security/advisories/GHSA-892p-pqrr-hxqr
- nvd.nist.gov/vuln/detail/CVE-2025-46332
- vercel.com/changelog/information-disclosure-in-flags-sdk-cve-2025-46332
Code Behaviors & Features
Detect and mitigate CVE-2025-46332 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →