Next.js Directory Traversal Vulnerability
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
1.0.0 → fixed in 2.4.1
Details
Next.js before 2.4.1 has directory traversal under the `/_next` and `/static` request namespace, allowing attackers to obtain sensitive information.
The fix
Implement the fix.
server/index.js+18 −1
@@ -1,4 +1,4 @@-import { resolve, join } from 'path'+import { resolve, join, sep } from 'path'import { parse as parseUrl } from 'url'import { parse as parseQs } from 'querystring'import fs from 'fs'@@ -295,6 +295,10 @@ export default class Server {}async serveStatic (req, res, path) {+if (!this.isServeableUrl(path)) {+return this.render404(req, res)+}+try {return await serveStatic(req, res, path)} catch (err) {@@ -306,6 +310,19 @@ export default class Server {}}+isServeableUrl (path) {+const resolved = resolve(path)+if (+resolved.indexOf(join(this.dir, this.dist) + sep) !== 0 &&+resolved.indexOf(join(this.dir, 'static') + sep) !== 0+) {+// Seems like the user is trying to traverse the filesystem.+return false+}++return true+}+isInternalUrl (req) {for (const prefix of internalPrefixes) {if (prefix.test(req.url)) {