Assets 2

Release Notes

This upgrade is completely backwards compatible and recommended for all users on version 7.0.0 and 7.0.1
For future security related communications of our OSS projects, please join this mailing list.

Next.js has just been audited by one of the top security firms in the world. They found a XSS vulnerability on /_error pages (404, 500), where an attacker could craft a request that executes client side code on these particular pages. As a reminder, websites that follow OWASP security guidelines should see minimized impact from this attack vector.

How to Upgrade

  • We have released patch versions for both the stable and canary channels of Next.js.
  • The following versions fix this bug and include precautions to avoid
    similar problems in the future
  • Run npm install next@latest --save
  • When using the canary release channel use npm install next@canary --save

Impact

  • Affected: Users of Next.js using version 7.0.0 and 7.0.1
  • Not affected: Deployments on https://now.sh (like https://zeit.co) are mitigated.
  • Not affected: Static deployments via next export

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

How to Assess Impact

If you think sensitive code or data could have been exposed, please filter logs of affected sites by /' with a 404 response.

What is Being Done

As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to Jessica Stokes from Buildkite, lvh and Jeremy Rauch from Latacora for their investigation and discovery of the original bug and subsequent responsible disclosure.

Next.js 7.0.0 included a bugfix for the inline script generation code, it previously had a condition that would always return false, causing the error page to not be initialized. The generated code passed the pathname through the htmlescape module to escape arbitrary HTML characters. However this module does not escape single quotes ('). Meaning that an attacker could break out of the code block by including extra single quotes in the pathname. In Next.js 7.0.2 we have completely removed the user provided pathname value from the inline script tag. Regression tests for this attack were added to the security test suite.

  • We have notified known Next.js users in advance of this publication.
  • A public CVE was released
  • If you want to stay on top of our security related news impacting Next.js or other ZEIT projects, please join this mailing list.
  • We encourage responsible disclosure of future issues. Please email us at security@zeit.co. We are actively monitoring this mailbox.