Description
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
Remediation
References
https://github.com/zeit/next.js/releases/tag/v9.3.2
https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj
Related Vulnerabilities
CVE-2023-40037 Vulnerability in maven package org.apache.nifi:nifi-jms-processors
CVE-2020-35728 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2021-26539 Vulnerability in maven package org.webjars.npm:sanitize-html
CVE-2018-1002203 Vulnerability in maven package org.webjars.npm:unzipper
CVE-2020-13920 Vulnerability in maven package org.apache.activemq:activemq-core