Skip to main content

Next.js CVE-2017-16877

HIGH
Path Traversal (CWE-22)
2017-11-17 cve@mitre.org
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 17, 2017 - 17:29 cve.org
HIGH 7.5

DescriptionCVE.org

ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information.

AnalysisAI

ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.8%.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information. Affected products include: Zeit Next.Js. Version information: before 2.4.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2025-29927 CRITICAL POC
9.1 Mar 21

Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subreques

CVE-2025-57822 MEDIUM POC
6.5 Aug 29

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.5), this vulnerabil

CVE-2025-6087 CRITICAL
9.1 Jun 16

A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected sy

CVE-2026-41248 CRITICAL
9.1 Apr 24

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c

CVE-2025-48947 HIGH
7.7 Jun 04

A security vulnerability in Next.js applications. In Auth0 Next.js SDK (CVSS 7.7). High severity vulnerability requiring

CVE-2025-32421 LOW
3.7 May 14

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 3.7), this vulnerability

CVE-2025-30218 LOW
1.7 Apr 02

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 1.7), this vulnerability

CVE-2025-57752 MEDIUM
6.2 Aug 29

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.2), this vulnerabil

CVE-2025-55173 MEDIUM
4.3 Aug 29

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 4.3), this vulnerabil

CVE-2025-48068 LOW
2.3 May 30

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 2.3), this vulnerability

CVE-2024-56332 MEDIUM
5.3 Jan 03

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 5.3), this vulnerabil

Share

CVE-2017-16877 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy