Description

Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.

Remediation

References

https://github.com/zeit/next.js/releases/tag/v9.3.2

https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj

Related Vulnerabilities

CVE-2019-10767 Vulnerability in npm package iobroker.js-controller

CVE-2019-10401 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2018-3744 Vulnerability in npm package html-pages

CVE-2023-43794 Vulnerability in npm package nocodb

CVE-2017-18239 Vulnerability in maven package com.jason-goodwin:authentikat-jwt

Severity

Medium

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Release Notes Third Party Advisory