CVE-2020-5284 MEDIUM

CVE-2020-5284: Directory Traversal in Next.js versions below 9.3.2

Vendor Zeit

Product next.js

Weakness CWE-23

Published March 30, 2020

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

4.4/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.

Key dates

02Disclosure timeline

March 30, 2020 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-5284

Related vulnerabilities

CVE-2020-5284: Directory Traversal in Next.js versions below 9.3.2

01Description

02Disclosure timeline

03References

04Related CVE