Vercel Flags SDK Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Vercel's Flags SDK, affecting the 'flags' package in versions through 3.2.0 and the '@vercel/flags' package in versions through 3.1.1. Under certain conditions, this vulnerability allows a knowledgeable actor to list all feature flags available through the flags discovery endpoint '.well-known/vercel/flags'. The exposed information includes flag names, descriptions, available options and their labels (such as true or false), and default values. While the vulnerability does not affect flag providers or expose any write access or additional customer data, it has been patched in Flags SDK version 4.0.0. Users of '@vercel/flags' should also migrate to 'flags@4.0.0'.

Impact

Exploitation of this vulnerability could lead to unauthorized access to feature flag information, including names, descriptions, available options and their labels, and default values. However, it does not allow access to flag providers, write access, or additional customer data.

Remediation

Users are advised to upgrade to 'flags@4.0.0'. For those using '@vercel/flags', migration to 'flags@4.0.0' is recommended. Vercel has also implemented a network-level mitigation for the default flags discovery endpoint, which protects against exploitation of this vulnerability. However, if using a custom path for the flags discovery endpoint or the Flags SDK on Pages Router, additional steps may be needed to restrict access to the exposed endpoints.