CVE-2020-5284: Directory Traversal in Next.js

March 30, 2020 (updated September 26, 2025)

Not affected: Deployments on ZEIT Now v2 (https://zeit.co) are not affected
Not affected: Deployments using the serverless target
Not affected: Deployments using next export
Affected: Users of Next.js below 9.3.2

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

References

github.com/advisories/GHSA-fq77-7p7r-83rj
github.com/zeit/next.js/releases/tag/v9.3.2
github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj
nvd.nist.gov/vuln/detail/CVE-2020-5284
www.npmjs.com/advisories/1503

Code Behaviors & Features

Detect and mitigate CVE-2020-5284 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →