Описание
Remote Code Execution in next
Versions of next prior to 5.1.0 are vulnerable to Remote Code Execution. The /path: route fails to properly sanitize input and passes it to a require() call. This allows attackers to execute JavaScript code on the server. Note that prior version 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.
Recommendation
Upgrade to version 5.1.0.
Пакеты
Наименование
next
npm
Затронутые версииВерсия исправления
>= 0.9.9, < 5.1.0
5.1.0
Дефекты
CWE-20
Дефекты
CWE-20