cbcvebase.
CVE-2017-16877
published 2017-11-17

CVE-2017-16877: ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information.

PriorityP355high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
14.10%
96.1th percentile
ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information.

Affected

2 ranges
VendorProductVersion rangeFixed in
nextnext>= 1.0.0 < 2.4.12.4.1
zeitnext.js< 2.4.12.4.1

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/_next/../../../../../../../../../../etc/passwd
path/_next/../../../../../../../../../../etc/passwd
  • Exploit path traversal via the /_next namespace by appending directory traversal sequences (../../) to reach sensitive files like /etc/passwd. A successful response returns HTTP 200 with passwd file content matching root:.*:0:0:
  • Monitor HTTP GET requests to paths beginning with /_next/ or /static/ that contain ../ sequences, indicating directory traversal attempts against vulnerable Next.js instances.
  • Use Shodan query 'http.html:"/_next/static"' or FOFA query 'body="/_next/static"' to identify internet-exposed Next.js instances potentially vulnerable to CVE-2017-16877.
  • ·Vulnerability affects only Next.js versions prior to 2.4.1. Instances running 2.4.1 or later are not affected.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.