Headline
GHSA-3h52-269p-cp9r: Information exposure in Next.js dev server due to lack of origin verification
Summary
This vulnerability is similar to CVE-2018-14732. When running a Next.js server locally (e.g. through npm run dev), the WebSocket server is vulnerable to the Cross-site WebSocket hijacking (CSWSH) attack. and a bad actor can access the source code of client components, if a user was to visit a malicious link while having the Next.js dev server running.
Impact
If a user is running a Next.js server locally (e.g. npm run dev), and they were to browse to a malicious website, the malicious website may be able to access the source code of the Next.js app. This vulnerability only affects applications making use of App Router.
Note: App Router was experimental requiring experimental.appDir = true in versions >=13.0.0 to <13.4.
Summary
This vulnerability is similar to CVE-2018-14732. When running a Next.js server locally (e.g. through npm run dev), the WebSocket server is vulnerable to the Cross-site WebSocket hijacking (CSWSH) attack. and a bad actor can access the source code of client components, if a user was to visit a malicious link while having the Next.js dev server running.
Impact
If a user is running a Next.js server locally (e.g. npm run dev), and they were to browse to a malicious website, the malicious website may be able to access the source code of the Next.js app. This vulnerability only affects applications making use of App Router.
Note: App Router was experimental requiring experimental.appDir = true in versions >=13.0.0 to <13.4.
References
- GHSA-3h52-269p-cp9r