Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-kz7q-razc-pyf2
Vulnerability ID VCID-kz7q-razc-pyf2
Aliases GHSA-5vj8-3v2h-h38v
GMS-2020-750
Summary Remote Code Execution in next Versions of `next` prior to 5.1.0 are vulnerable to Remote Code Execution. The `/path:` route fails to properly sanitize input and passes it to a `require()` call. This allows attackers to execute JavaScript code on the server. Note that prior version 0.9.9 package `next` npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions. ## Recommendation Upgrade to version 5.1.0.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-20 Improper Input Validation
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-5vj8-3v2h-h38v
generic_textual HIGH https://github.com/vercel/next.js
generic_textual HIGH https://www.npmjs.com/advisories/1538
Reference id Reference type URL
https://github.com/masasron/vulnerability-research/tree/master/CVE-2018-6184/LFI
https://github.com/vercel/next.js
https://www.npmjs.com/advisories/1538
GHSA-5vj8-3v2h-h38v https://github.com/advisories/GHSA-5vj8-3v2h-h38v
No exploits are available.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-04-01T12:59:53.796452+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-5vj8-3v2h-h38v/GHSA-5vj8-3v2h-h38v.json 38.0.0