Description

Next.js is a minimalistic framework for server-rendered React applications.

A directory traversal issue exists on Next.js versions lower than 2.4.1. This issues affects the /_next and /static request namespaces. An attacker can craft a request that accesses potentially sensitive information in your filesystem.

Remediation

Upgrade to the latest version of Next.js (this issue was fixed in Next.js version 2.4.1).

References

Next.js and Serve Security Patches

Arbitrary File Reading in Next.js < 2.4.1

Related Vulnerabilities

WordPress Plugin WP Fastest Cache Directory Traversal (0.8.9.5)

WordPress Plugin SAM Pro (Free Edition) Local File Inclusion (1.9.6.67)

WordPress Plugin Responsive Owl Carousel for Elementor Local File Inclusion (1.2.0)

WordPress Plugin Blogtopdf Local File Inclusion (1.0.2)

Unauthenticated Arbitrary File Read vulnerability in VMware vCenter

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Directory Traversal