4.2.3
Release notes
This upgrade is completely backwards compatible and recommended for all users
For future security related communications of our OSS projects, please join this mailing list.
We were notified of a directory traversal issue under the /_next
request namespace.
An attacker can craft a request that accesses potentially sensitive information in your filesystem.
How to upgrade
- We have released patch versions of the stable and
beta
releases. - The following versions fix this bug and include precautions to avoid
similar problems in the future - Run
npm install next@latest --save
- When using
canary
release channel usenpm install next@canary --save
Impact
- Affected: Users of Next.js prior to this release
- Not affected: Deployments on https://now.sh (like https://zeit.co) are mitigated. A platform wide mitigation was implemented immediately after the report was received.
- Not affected: Static deployments via
next export
We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
Container-based deployments, chroot
environments and virtualization users are at significantly less risk of sensitive data exposure. In most scenarios, an attacker would only be able to access frontend JavaScript components exclusively.
How to assess impact
If you think sensitive code or data could have been exposed, please filter logs of affected sites by ..
(excluding quotes in all cases) and check for 200 responses.
What is being done
As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to Orange Tsai from DEVCORE for his investigation and discovery of the original bug and subsequent responsible disclosure.
6 months ago there was a similar, but different, path traversal possible on paths under the /static
directory. To prevent future regressions regarding path traversal we have separated all security related tests to a common file called security.js so that any future commit will be verified against these known fixed vulnerabilities.
- We have notified known Next.js users in advance of this publication.
- A public CVE was released
- If you want to stay on top of our security related news impacting Next.js or other projects, please join this mailing list.
- We encourage responsible disclosure of future issues. Please email us at security@zeit.co. We are actively monitoring this mailbox.