Vercel discovered and patched an information disclosure vulnerability in the , affecting versions:Flags SDK This is being tracked as . .CVE-2025-46332We have published an automatic mitigation for the default configuration of the Flags SDK on Vercel We recommend upgrading to (or migrating from to ) to remediate the issue. Further guidance can be found in the .flags@4.0.0@vercel/flagsflagsupgrade guide A malicious actor could determine the following under specific conditions: Flags providers were accessible. No write access nor additional customer data was exposed, this is limited to the values noted above.

not Vercel implemented a network-level mitigation to prevent the default flags discovery endpoint at being reachable, which automatically protects Vercel deployments against exploitation of this issue./.well-known/vercel/flags While uncommon, if you are exposing the flags discovery endpoint through custom paths, you can also implement a custom WAF rule to restrict access to these endpoints as a mitigation, for example when using: We recommend that all users upgrade to . Flags Explorer will be disabled and show a warning notice until you upgrade to the latest version.flags@4.0.0…