zeit 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に パス処理の欠陥 and vendor risk cross-site scripting などに関し、一部は vendor impact session compromise を招き、vendor surface production workloads and vendor surface software deployment 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2020-5284 | Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2. | [email protected] | 4.4 | 43.43% | 2020-03-30 | 2026-06-17 |
| CVE-2019-5417 | A path traversal vulnerability in serve npm package version 7.0.1 allows the attackers to read content of arbitrary files on the remote server. | [email protected] | 7.5 | 2.21% | 2019-03-21 | 2026-06-17 |
| CVE-2019-5415 | A bug in handling the ignore files and directories feature in serve 6.5.3 allows an attacker to read a file or list the directory that the victim has not allowed access to. | [email protected] | 7.5 | 1.69% | 2019-03-21 | 2026-06-17 |
| CVE-2018-18282 | Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page. | [email protected] | 6.1 | 1.03% | 2018-10-12 | 2026-06-17 |
| CVE-2018-3718 | serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded. | [email protected] | 5.3 | 1.32% | 2018-06-07 | 2026-06-17 |
| CVE-2018-3712 | serve node module before 6.4.9 suffers from a Path Traversal vulnerability due to not handling %2e (.) and %2f (/) and allowing them in paths, which allows a malicious user to view the contents of any directory with known path. | [email protected] | 6.5 | 1.79% | 2018-06-07 | 2026-06-17 |
| CVE-2018-3809 | Information exposure through directory listings in serve 6.5.3 allows directory listing and file access even when they have been set to be ignored. | [email protected] | 5.3 | 1.05% | 2018-06-01 | 2026-06-17 |
| CVE-2018-6184 | ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace. | [email protected] | 7.5 | 9.23% | 2018-01-24 | 2026-06-17 |
| CVE-2017-16877 | ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information. | [email protected] | 7.5 | 14.10% | 2017-11-17 | 2026-06-17 |