Affected versions of Next.js are vulnerable to Path Traversal. Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This vulnerability does not affect files outside of the dist directory (.next).

Directory traversal vulnerabilities enable attackers to read arbitrary files on the server filesystem, which can result in exposure of sensitive information, such as configuration files, user data or other system files. By exploiting these vulnerabilities, an attacker could potentially gain access to system data, credentials or secret keys, leading to a broad range of potential attacks, including privilege escalation, data theft, or unauthorized system access.


Update to version 9.3.2 or later: Patched versions of Next.js have been released to address this vulnerability. Update your Next.js version to 9.3.2 or later to protect against this vulnerability.


Related Vulnerabilities