Arbitrary File Read in Next.js
Description
Next.js is a React-based framework for building server-rendered web applications. Versions prior to 2.4.1 contain a directory traversal vulnerability that affects the /_next and /static request handlers. This flaw allows attackers to bypass intended access restrictions and read arbitrary files from the server's filesystem by manipulating URL paths with traversal sequences (e.g., ../). The vulnerability enables unauthorized access to files outside the application's designated public directories, potentially exposing sensitive configuration files, source code, and system files.
Remediation
Immediately upgrade Next.js to version 2.4.1 or later to remediate this vulnerability. Follow these steps:
1. Update the Next.js dependency in your package.json file to version 2.4.1 or higher:
"next": "^2.4.1"
2. Run the package manager update command:
npm update nextor
yarn upgrade next
3. Verify the installed version:
npm list next
4. Test your application thoroughly after the upgrade to ensure compatibility.
5. Review server logs for any suspicious requests to /_next or /static paths containing traversal sequences to identify potential exploitation attempts.
If immediate upgrading is not possible, implement temporary mitigations such as web application firewall (WAF) rules to block requests containing directory traversal patterns, though upgrading remains the only complete solution.