Description
Vulnerable Library - @kleros/kleros-v2-web-devtools-0.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: a3f5416a71e1112e0fb8a2d29dc240c8665c7335
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (@kleros/kleros-v2-web-devtools version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-48068 |  Medium |
4.7 | next-14.2.28.tgz | Transitive | N/A* | ❌ |
| CVE-2024-55565 | Medium |
4.3 | nanoid-3.3.7.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-48068
Vulnerable Library - next-14.2.28.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-14.2.28.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @kleros/kleros-v2-web-devtools-0.1.0.tgz (Root Library)
- ❌ next-14.2.28.tgz (Vulnerable Library)
Found in HEAD commit: a3f5416a71e1112e0fb8a2d29dc240c8665c7335
Found in base branches: dev, master
Vulnerability Details
Summary This vulnerability is similar to CVE-2018-14732. When running a Next.js server locally (e.g. through "npm run dev"), the WebSocket server is vulnerable to the Cross-site WebSocket hijacking (CSWSH) attack. and a bad actor can access the source code of client components, if a user was to visit a malicious link while having the Next.js dev server running. Impact If a user is running a Next.js server locally (e.g. "npm run dev"), and they were to browse to a malicious website, the malicious website may be able to access the source code of the Next.js app. This vulnerability only affects applications making use of App Router. Note: App Router was experimental requiring "experimental.appDir = true" in versions ">=13.0.0" to "<13.4".
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-05-30
URL: CVE-2025-48068
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-3h52-269p-cp9r
Release Date: 2025-05-30
Fix Resolution: next - 15.2.2
Step up your Open Source Security Game with Mend here
CVE-2024-55565
Vulnerable Library - nanoid-3.3.7.tgz
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @kleros/kleros-v2-web-devtools-0.1.0.tgz (Root Library)
- next-14.2.28.tgz
- postcss-8.4.31.tgz
- ❌ nanoid-3.3.7.tgz (Vulnerable Library)
- postcss-8.4.31.tgz
- next-14.2.28.tgz
Found in HEAD commit: a3f5416a71e1112e0fb8a2d29dc240c8665c7335
Found in base branches: dev, master
Vulnerability Details
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
Publish Date: 2024-12-09
URL: CVE-2024-55565
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-55565
Release Date: 2024-12-09
Fix Resolution: nanoid - 5.0.9
Step up your Open Source Security Game with Mend here