CVE-2020-5284: 
JavaScript vulnerability analysis and mitigation

Next.js versions before 9.3.2 contained a directory traversal vulnerability (CVE-2020-5284) discovered in early 2020. The vulnerability allowed attackers to craft special requests to access files in the dist directory (.next). This vulnerability was limited to the dist directory and did not affect files outside of it. The dist directory typically only contains build assets unless applications intentionally store other assets there (GitHub Release).

The vulnerability was discovered through a security audit by Doyensec. Attackers could use directory traversal techniques to access files within the .next directory through specially crafted requests. The vulnerability affected deployments using next start command. A proof of concept for the vulnerability was demonstrated using the path HTTP://localhost/_next/static/../server/pages-manifest.json (AttackerKB).

The impact was limited to exposing files within the .next (dist) directory. Deployments on ZEIT Now v2, deployments using the serverless target, and deployments using next export were not affected. Only users of Next.js below version 9.3.2 that used next start were vulnerable (GitHub Release).

The primary mitigation is upgrading to Next.js version 9.3.2 or later. The patch ensures that only known filesystem paths of .next/static are made available under /_next/static. The development team added regression tests for this attack to their security integration test suite. For potentially affected systems, administrators can filter logs for '../' patterns with 200 response codes to assess impact (GitHub Release).

The vulnerability was responsibly disclosed by Luca Carettoni from Doyensec. Next.js development team established a security mailing list for future security-related communications and encouraged responsible disclosure of future issues through their security email (GitHub Release).