Next.js and Serve Security Patches

This upgrade is completely backwards compatible and recommended for all users
For future security communications about our OSS projects, please join this mailing list

We were notified of a directory traversal issue on Next.js under the /_next and /static request namespaces. An attacker can craft a request that accesses potentially sensitive information in your filesystem.

Our investigation revealed the issue was associated with the usage of the send middleware without supplying a root option. We performed an audit of our other codebases using this dependency, which led us to the serve patch.

Summary: the fixes are live as patch releases and we're working together with a security firm to audit our OSS codebases routinely in order to avoid issues in the future.

How to upgrade

Impact

We recommend everyone to upgrade regardless!

Container-based deployments, chroot environments and virtualization users are at significantly less risk of sensitive data exposure. In most scenarios, an attacker would only be able to access frontend JavaScript components exclusively.

How to assess impact

If you think sensitive code or data could have been exposed, please filter logs of affected sites by ".." (excluding quotes in all cases) and check for 200 responses.

What is being done

As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to @ru_raz0r for his investigation and discovery of the original bug and subsequent responsible disclosure.