Security context
High· 7.5GHSA-3f5c-4qxj-vmpf CVE-2017-16877CWE-22Published Dec 5, 2017

Next.js Directory Traversal Vulnerability

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

1.0.0 → fixed in 2.4.1

Details

Next.js before 2.4.1 has directory traversal under the `/_next` and `/static` request namespace, allowing attackers to obtain sensitive information.

The fix

Implement the fix.

Arunoda Susiripala· Jun 1, 2017, 12:16 AM+18143c447edd0
server/index.js+18 1
@@ -1,4 +1,4 @@
-import { resolve, join } from 'path'
+import { resolve, join, sep } from 'path'
import { parse as parseUrl } from 'url'
import { parse as parseQs } from 'querystring'
import fs from 'fs'
@@ -295,6 +295,10 @@ export default class Server {
}
async serveStatic (req, res, path) {
+ if (!this.isServeableUrl(path)) {
+ return this.render404(req, res)
+ }
+
try {
return await serveStatic(req, res, path)
} catch (err) {
@@ -306,6 +310,19 @@ export default class Server {
}
}
+ isServeableUrl (path) {
+ const resolved = resolve(path)
+ if (
+ resolved.indexOf(join(this.dir, this.dist) + sep) !== 0 &&
+ resolved.indexOf(join(this.dir, 'static') + sep) !== 0
+ ) {
+ // Seems like the user is trying to traverse the filesystem.
+ return false
+ }
+
+ return true
+ }
+
isInternalUrl (req) {
for (const prefix of internalPrefixes) {
if (prefix.test(req.url)) {

References