cbcvebase.
CVE-2020-5284
published 2020-03-30

CVE-2020-5284: Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next)…

PriorityP276medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
43.43%
98.6th percentile
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.

Affected

2 ranges
VendorProductVersion rangeFixed in
nextnext>= 0.9.9 < 9.3.29.3.2
zeitnext.js< 9.3.29.3.2

Detection & IOCsextracted from sources · hover to see the quote

path/_next/static/../server/pages-manifest.json
path/_next/static
yara
regex: '\{"/_app":".*?_app\.js"'
  • Send a GET request with a path traversal payload targeting the Next.js dist directory. A vulnerable server will respond HTTP 200 with Content-Type: application/json and a body matching the pages-manifest pattern.
  • Match response header for 'application/json' AND response body regex '\{"/_app":".*?_app\.js"' AND HTTP status 200 to confirm exploitation of the directory traversal.
  • Shodan/FOFA fingerprint for exposed Next.js instances: search for 'body="/_next/static"' or 'http.html:"/_next/static"' to identify potentially vulnerable targets.
  • ·The traversal only reaches files within the .next (dist) directory. Files outside this directory are not accessible via this vulnerability.
  • ·Exploitation requires an authenticated (low-privilege) user per CVSS scoring (PR:L), so unauthenticated mass exploitation may not apply in all deployments.

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.