Directory Traversal

Affecting next package, versions <2.4.1 || >=3.0.0-beta1 <3.0.0-beta7

high severity

Overview

next is Minimalistic framework for server-rendered React applications.

Affected versions of the package are vulnerable to Directory Traversal via the /\_next and /static request namespaces. An attacker can craft a request that may potentially access sensitive information in the server filesystem.

Remediation

Upgrade next to version 2.4.1 or higher.

References

Do your applications use this vulnerable package?

Credit
ru_raz0r
CWE
CWE-22
Snyk ID
npm:next:20170601
Disclosed
31 May, 2017
Published
12 Jun, 2017