ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information.
{
"unresolved_ranges": [
{
"vendor_product": "zeit:next.js",
"cpes": [
"cpe:2.3:a:zeit:next.js:*:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"fixed": "2.4.1"
}
],
"source": "CPE_RANGE"
}
]
}