Path Traversal in Next.js up to 9.3.1
Description
Next.js versions prior to 9.3.2 contain a path traversal vulnerability (CWE-22) that allows attackers to access files within the application's build output directory (.next). By crafting malicious HTTP requests with directory traversal sequences (e.g., '../'), unauthorized users can read files that should not be publicly accessible. While this vulnerability is limited to the .next distribution directory and does not expose files outside this scope, it can still lead to disclosure of sensitive build artifacts, source maps, and configuration data that may aid further attacks.
Remediation
Immediately upgrade Next.js to version 9.3.2 or later, which contains a patch for this vulnerability. Follow these steps:
1. Update the Next.js dependency in your package.json:
"next": "^9.3.2"
2. Install the updated version:
npm installor
yarn install
3. Rebuild your application to ensure the patched version is in use:
npm run build
4. Verify the installed version:
npm list next
5. Deploy the updated application to all environments (development, staging, and production).
As an additional security measure, review your web server configuration to ensure the .next directory is not directly accessible via web requests, though the framework update is the primary remediation.