Platform
nodejs
Component
next
Opgelost in
4.2.3
CVE-2018-6184 describes a Directory Traversal vulnerability affecting Next.js versions before 4.2.3. This flaw allows attackers to potentially read sensitive files on the server by manipulating requests to the /_next namespace. The vulnerability was published on January 24, 2018, and a fix is available in version 4.2.3.
The Directory Traversal vulnerability in Next.js allows an attacker to bypass intended access restrictions and retrieve files from the server's file system. By crafting malicious requests targeting the /_next directory, an attacker could potentially access configuration files, source code, or other sensitive data. The impact is particularly severe if the server is publicly accessible or if the application handles sensitive user data. Successful exploitation could lead to data breaches, unauthorized access to system resources, and potential compromise of the entire server.
CVE-2018-6184 is not currently listed on KEV or EPSS. Public Proof-of-Concept (POC) code is available, indicating the vulnerability is relatively easy to exploit. While no active campaigns targeting this specific vulnerability have been publicly reported, the ease of exploitation means it remains a potential risk, especially for older, unpatched deployments. Refer to the Next.js security advisory for more details.
Exploit Status
EPSS
14.62% (94% percentiel)
CVSS-vector
The primary mitigation for CVE-2018-6184 is to upgrade to Next.js version 4.2.3 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious characters or patterns in the /next path. Additionally, restrict access to the /next directory through server-level configuration (e.g., .htaccess for Apache) to prevent unauthorized access. After upgrading, confirm the fix by attempting a directory traversal request to the /_next path and verifying that access is denied.
Geen officiële patch beschikbaar. Zoek naar tijdelijke oplossingen of monitor updates.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2018-6184 is a vulnerability in Next.js versions before 4.2.3 that allows attackers to access arbitrary files on the server through the /_next directory. It's rated HIGH severity with a CVSS score of 7.5.
You are affected if you are using Next.js versions prior to 4.2.3. Check your project's dependencies to determine if you need to upgrade.
Upgrade to Next.js version 4.2.3 or later. As a temporary workaround, implement a WAF rule to block suspicious requests to the /_next directory.
While no active campaigns have been publicly reported, the availability of POC code suggests it's a potential risk, especially for unpatched systems.
Refer to the Next.js security advisory on their GitHub repository: [https://github.com/vercel/next.js/security/advisories/GHSA-5w5g-4x4x-x69r](https://github.com/vercel/next.js/security/advisories/GHSA-5w5g-4x4x-x69r)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.