CVE-2025-46332 – Information Disclosure via Flags override link

https://notcve.org/view.php?id=CVE-2025-46332

02 May 2025 — Flags SDK is an open-source feature flags toolkit for Next.js and SvelteKit. Impacted versions include flags from 3.2.0 and prior and @vercel/flags from 3.1.1 and prior as certain circumstances allows a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (.well-known/vercel/flags). This vulnerability allows for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the flags discovery endpoint, ... • https://github.com/vercel/flags/blob/main/packages/flags/guides/upgrade-to-v4.md • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •