Vulnerability Database

296,747

Total vulnerabilities in the database

Remote Code Execution in next

Versions of next prior to 5.1.0 are vulnerable to Remote Code Execution. The /path: route fails to properly sanitize input and passes it to a require() call. This allows attackers to execute JavaScript code on the server. Note that prior version 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

Recommendation

Upgrade to version 5.1.0.

Published: Sep 4, 2020
Updated: Apr 14, 2023
GHSA: GHSA-5vj8-3v2h-h38v
Severity: High
Exploit:

No technical information available.

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
next	0.9.9	5.1.0

https://www.npmjs.com/advisories/1538

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo