Описание
Directory Traversal in Next.js
Impact
- Not affected: Deployments on ZEIT Now v2 (https://zeit.co) are not affected
- Not affected: Deployments using the
serverlesstarget - Not affected: Deployments using
next export - Affected: Users of Next.js below 9.3.2
We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
Patches
https://github.com/zeit/next.js/releases/tag/v9.3.2
References
Пакеты
Наименование
next
npm
Затронутые версииВерсия исправления
< 9.3.2
9.3.2
Связанные уязвимости
CVSS3: 4.4
nvd
около 5 лет назад
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.