Remote Code Execution in next

GHSA-5vj8-3v2h-h38v

Published Sep 4, 2020 · Modified Apr 28, 2022

Description

Versions of next prior to 5.1.0 are vulnerable to Remote Code Execution. The /path: route fails to properly sanitize input and passes it to a require() call. This allows attackers to execute JavaScript code on the server. Note that prior version 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

Recommendation

Upgrade to version 5.1.0.

References

PACKAGE https://github.com/vercel/next.js
WEB https://www.npmjs.com/advisories/1538

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes