High severity7.5NVD Advisory· Published Nov 17, 2017· Updated May 13, 2026
CVE-2017-16877
CVE-2017-16877
Description
ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nextnpm | >= 1.0.0, < 2.4.1 | 2.4.1 |
Affected products
1Patches
102fe7cf63f62Merge branch 'fix-dir-traversal-error'
1 file changed · +18 −1
server/index.js+18 −1 modified@@ -1,4 +1,4 @@ -import { resolve, join } from 'path' +import { resolve, join, sep } from 'path' import { parse as parseUrl } from 'url' import { parse as parseQs } from 'querystring' import fs from 'fs' @@ -295,6 +295,10 @@ export default class Server { } async serveStatic (req, res, path) { + if (!this.isServeableUrl(path)) { + return this.render404(req, res) + } + try { return await serveStatic(req, res, path) } catch (err) { @@ -306,6 +310,19 @@ export default class Server { } } + isServeableUrl (path) { + const resolved = resolve(path) + if ( + resolved.indexOf(join(this.dir, this.dist) + sep) !== 0 && + resolved.indexOf(join(this.dir, 'static') + sep) !== 0 + ) { + // Seems like the user is trying to traverse the filesystem. + return false + } + + return true + } + isInternalUrl (req) { for (const prefix of internalPrefixes) { if (prefix.test(req.url)) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-3f5c-4qxj-vmpfghsaADVISORY
- github.com/zeit/next.js/releases/tag/2.4.1nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-16877ghsaADVISORY
- github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00nvdWEB
News mentions
0No linked articles in our index yet.