Remote Code Execution in next

Versions of next prior to 5.1.0 are vulnerable to Remote Code Execution. The /path: route fails to properly sanitize input and passes it to a require() call. This allows attackers to execute JavaScript code on the server. Note that prior version 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

Recommendation

Upgrade to version 5.1.0.

Published: Sep 4, 2020
Updated: Apr 14, 2023
GHSA: GHSA-5vj8-3v2h-h38v
Severity: High
Exploit:

No technical information available.

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
next	0.9.9	5.1.0

https://www.npmjs.com/advisories/1538

Vulnerability Database

289,697

Remote Code Execution in next

Recommendation