Plattform
nodejs
Komponente
next
Behoben in
4.2.3
CVE-2018-6184 describes a Directory Traversal vulnerability affecting Next.js versions before 4.2.3. This flaw allows attackers to potentially read sensitive files on the server by manipulating requests to the /_next namespace. The vulnerability was published on January 24, 2018, and a fix is available in version 4.2.3.
The Directory Traversal vulnerability in Next.js allows an attacker to bypass intended access restrictions and retrieve files from the server's file system. By crafting malicious requests targeting the /_next directory, an attacker could potentially access configuration files, source code, or other sensitive data. The impact is particularly severe if the server is publicly accessible or if the application handles sensitive user data. Successful exploitation could lead to data breaches, unauthorized access to system resources, and potential compromise of the entire server.
CVE-2018-6184 is not currently listed on KEV or EPSS. Public Proof-of-Concept (POC) code is available, indicating the vulnerability is relatively easy to exploit. While no active campaigns targeting this specific vulnerability have been publicly reported, the ease of exploitation means it remains a potential risk, especially for older, unpatched deployments. Refer to the Next.js security advisory for more details.
Exploit-Status
EPSS
14.62% (94% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2018-6184 is to upgrade to Next.js version 4.2.3 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious characters or patterns in the /next path. Additionally, restrict access to the /next directory through server-level configuration (e.g., .htaccess for Apache) to prevent unauthorized access. After upgrading, confirm the fix by attempting a directory traversal request to the /_next path and verifying that access is denied.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2018-6184 is a vulnerability in Next.js versions before 4.2.3 that allows attackers to access arbitrary files on the server through the /_next directory. It's rated HIGH severity with a CVSS score of 7.5.
You are affected if you are using Next.js versions prior to 4.2.3. Check your project's dependencies to determine if you need to upgrade.
Upgrade to Next.js version 4.2.3 or later. As a temporary workaround, implement a WAF rule to block suspicious requests to the /_next directory.
While no active campaigns have been publicly reported, the availability of POC code suggests it's a potential risk, especially for unpatched systems.
Refer to the Next.js security advisory on their GitHub repository: [https://github.com/vercel/next.js/security/advisories/GHSA-5w5g-4x4x-x69r](https://github.com/vercel/next.js/security/advisories/GHSA-5w5g-4x4x-x69r)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.