Miggo Logo
Miggo Vulnerability Database
CVE-2020-5284

CVE-2020-5284:
Directory Traversal in Next.js

4.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-5284
GHSA ID
GHSA-fq77-7p7r-83rj
EPSS Score
0.98915%
CWE
CWE-23
Published
3/30/2020
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
nextnpm< 9.3.29.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

While exact code changes aren't visible, the vulnerability description explicitly mentions improper access control to .next/static paths. The release notes confirm the patch added path validation to static asset serving. In Next.js architecture, serveStatic is the primary function responsible for handling /_next/static requests. The medium confidence comes from matching the vulnerability pattern to the function's responsibility, despite lacking direct access to patch diffs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t - **Not *****t****: **ploym*nts on Z*IT Now v* ([*ttps://z*it.*o](*ttps://z*it.*o/)) *r* not *****t** - **Not *****t****: **ploym*nts usin* t** `s*rv*rl*ss` t*r**t - **Not *****t****: **ploym*nts usin* `n*xt *xport` - *******t****: Us*rs

Reasoning

W*il* *x**t *o** ***n**s *r*n't visi*l*, t** vuln*r**ility **s*ription *xpli*itly m*ntions improp*r ****ss *ontrol to `.n*xt/st*ti*` p*t*s. T** r*l**s* not*s *on*irm t** p*t** ***** p*t* v*li**tion to st*ti* *ss*t s*rvin*. In `N*xt.js` *r**it**tur*,