Skip to content

Remote Code Execution in next

High severity GitHub Reviewed Published Sep 4, 2020 • Updated Apr 28, 2022

Package

npm next (npm)

Affected versions

>= 0.9.9, < 5.1.0

Patched versions

5.1.0

Description

Versions of next prior to 5.1.0 are vulnerable to Remote Code Execution. The /path: route fails to properly sanitize input and passes it to a require() call. This allows attackers to execute JavaScript code on the server. Note that prior version 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

Recommendation

Upgrade to version 5.1.0.

References

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-5vj8-3v2h-h38v

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.