Next.js Cross-Site WebSocket Hijacking Vulnerability in Development Server

A vulnerability in Next.js versions 13.0 prior to 15.2.2 allows limited source code exposure in local development environments. This issue arises when the development server is running with the App Router enabled. The vulnerability can be exploited by visiting a malicious webpage while the server is active, leading to unauthorized access to component source code via WebSocket connections to localhost. The root cause is a lack of origin verification on the WebSocket interface, similar to CVE-2018-14732 but scoped to local development use.

Impact

Exploitation of this vulnerability allows a malicious website to open a WebSocket connection to the local development server, accessing sensitive component source code from Next.js projects that use the App Router.

Remediation

Users can upgrade to Next.js version 15.2.2 or later, which includes the necessary origin checks to prevent unauthorized WebSocket access during development. For those needing to maintain backward compatibility, the 'allowedDevOrigins' option can be used to specify which origins are allowed to connect.