Versions of next prior to 5.1.0 are vulnerable to Remote Code Execution. The /path: route fails to properly sanitize input and passes it to a require() call. This allows attackers to execute JavaScript code on the server. Note that prior version 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.
Recommendation
Upgrade to version 5.1.0.
References
Versions of
nextprior to 5.1.0 are vulnerable to Remote Code Execution. The/path:route fails to properly sanitize input and passes it to arequire()call. This allows attackers to execute JavaScript code on the server. Note that prior version 0.9.9 packagenextnpm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.Recommendation
Upgrade to version 5.1.0.
References