A low-severity vulnerability in the Next.js dev server has been addressed. This vulnerability affects Next.js versions through and through . It includes two related issues affecting the local development server: and . Both stem from the lack of origin validation on development server resources.13.0.014.2.2915.0.015.2.1Cross-Site WebSocket Hijacking (CSWSH)Cross-Origin Script Inclusion When running , a malicious website can:next dev The root cause is insufficient origin verification on local development server resources, including the WebSocket server and static script endpoints. This issue is similar to , though scoped strictly to local development use.CVE-2018-14732 This issue was fixed in These releases introduce a configuration option to enable origin checks, which help prevent unauthorized cross-origin requests to the local development server.

You can learn how to enable this option after upgrading to a patched version by visiting our . Note that this configuration is currently opt-in and will become the default in a future major release. Next.js versions and .14.2.3015.2.2documentation page This CVE affects local development, no mitigation are required for applications in…