A low-severity vulnerability in the Next.js dev server has been addressed. Link to heading Summary This vulnerability affects Next.js versions 13.0.0 through 14.2.29 and 15.0.0 through 15.2.1 . It includes two related issues affecting the local development server: Cross-Site WebSocket Hijacking (CSWSH) and Cross-Origin Script Inclusion . Both stem from the lack of origin validation on development server resources. Link to heading Impact When running next dev , a malicious website can: Initiate a WebSocket connection to localhost and interact with the local development server if the project uses the App Router, potentially exposing internal component code. Inject a <script> tag referencing predictable paths for development scripts (e.g., /app/page.js ), which are then executed in the attacker's origin. This can allow extraction of source code The root cause is insufficient origin verification on local development server resources, including the WebSocket server and static script endpoints.…