Scan free
HIGHCVE-2018-6184CVSS 7.5

CVE-2018-6184: Directory Traversal in Next.js

Platform

nodejs

Component

next

Fixed in

4.2.3

AI Confidence: highNVDEPSS 14.6%Reviewed: May 2026
View on NVD
Save

CVE-2018-6184 describes a Directory Traversal vulnerability affecting Next.js versions before 4.2.3. This flaw allows attackers to potentially read sensitive files on the server by manipulating requests to the /_next namespace. The vulnerability was published on January 24, 2018, and a fix is available in version 4.2.3.

Impact and Attack Scenarios

The Directory Traversal vulnerability in Next.js allows an attacker to bypass intended access restrictions and retrieve files from the server's file system. By crafting malicious requests targeting the /_next directory, an attacker could potentially access configuration files, source code, or other sensitive data. The impact is particularly severe if the server is publicly accessible or if the application handles sensitive user data. Successful exploitation could lead to data breaches, unauthorized access to system resources, and potential compromise of the entire server.

Exploitation Context

CVE-2018-6184 is not currently listed on KEV or EPSS. Public Proof-of-Concept (POC) code is available, indicating the vulnerability is relatively easy to exploit. While no active campaigns targeting this specific vulnerability have been publicly reported, the ease of exploitation means it remains a potential risk, especially for older, unpatched deployments. Refer to the Next.js security advisory for more details.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
NextGuard10–15% still vulnerable

EPSS

14.62% (94% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentnext
Vendorosv
Affected rangeFixed in
1.0.04.2.3

Package Information

Last updated
16.2.6recently

Timeline

  1. Published
  2. Modified
  3. EPSS updated
Patched -11 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2018-6184 is to upgrade to Next.js version 4.2.3 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious characters or patterns in the /next path. Additionally, restrict access to the /next directory through server-level configuration (e.g., .htaccess for Apache) to prevent unauthorized access. After upgrading, confirm the fix by attempting a directory traversal request to the /_next path and verifying that access is denied.

How to fix

No official patch available. Check for workarounds or monitor for updates.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2018-6184 — Directory Traversal in Next.js?

CVE-2018-6184 is a vulnerability in Next.js versions before 4.2.3 that allows attackers to access arbitrary files on the server through the /_next directory. It's rated HIGH severity with a CVSS score of 7.5.

Am I affected by CVE-2018-6184 in Next.js?

You are affected if you are using Next.js versions prior to 4.2.3. Check your project's dependencies to determine if you need to upgrade.

How do I fix CVE-2018-6184 in Next.js?

Upgrade to Next.js version 4.2.3 or later. As a temporary workaround, implement a WAF rule to block suspicious requests to the /_next directory.

Is CVE-2018-6184 being actively exploited?

While no active campaigns have been publicly reported, the availability of POC code suggests it's a potential risk, especially for unpatched systems.

Where can I find the official Next.js advisory for CVE-2018-6184?

Refer to the Next.js security advisory on their GitHub repository: [https://github.com/vercel/next.js/security/advisories/GHSA-5w5g-4x4x-x69r](https://github.com/vercel/next.js/security/advisories/GHSA-5w5g-4x4x-x69r)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs