Next.js and Serve Security Patches
This upgrade is completely backwards compatible and recommended for all users
For future security communications about our OSS projects, please join this mailing list
We were notified of a directory traversal issue on Next.js under the
/static request namespaces.
An attacker can craft a request that accesses potentially sensitive information in your filesystem.
Our investigation revealed the issue was associated with the usage
middleware without supplying a
root option. We performed
an audit of our other codebases using this dependency, which
led us to the
Summary: the fixes are live as patch releases and we're working together with a security firm to audit our OSS codebases routinely in order to avoid issues in the future.
How to upgrade
- We have released patch versions of the stable and
- The following versions fix this bug and include precautions to avoid
similar problems in the future
- If using Next.js, run
npm install firstname.lastname@example.org --save
- If using serve, run
npm install email@example.com --save
- Affected: Users of Next.js and
serveprior to this release
- Not affected: Next.js Deployments on https://now.sh (like https://zeit.co)
- Not affected: Static deployments via
We recommend everyone to upgrade regardless!
How to assess impact
If you think sensitive code or data could have been exposed, please filter
logs of affected sites by
".." (excluding quotes in all cases)
and check for
What is being done
As Next.js has grown in popularity, it has received the attention of security researchers and auditors. We are thankful to @ru_raz0r for his investigation and discovery of the original bug and subsequent responsible disclosure.
- We have notified large deployments of Next.js in advance of this publication.
- If you want to stay on top of our security related news impacting Next.js or other projects, please join this mailing list.
- We are also very happy to announce that we're working together with Lift Security / Node Security on an audit of all our OSS projects in a recurring basis to ensure a safe experience for everyone.
- We encourage responsible disclosure of future issues. Please email us at firstname.lastname@example.org. We are actively monitoring this mailbox.