Critical Path Traversal Flaw in OopsSec Store Affects Next.js Apps
Next.js developers should remain vigilant about unvalidated file paths. A critical path traversal flaw in OopsSec Store’s API exposes sensitive files, as demonstrated in a clear proof-of-concept.
Unsanitized Paths Enable Directory Traversal
The OopsSec Store project features an API endpoint /api/files that accepts a file parameter to serve documents from a designated folder. The issue? The provided path isn’t sanitized before being joined to the base directory. A simple ../ is enough to navigate up one level and access files outside the intended directory—such as flag.txt, located at the project’s root.
Exploiting the Flaw: Three Steps to Retrieve the Flag
First, testing with a legitimate file confirms the endpoint’s functionality. Next, inserting a ../ into the file parameter targets sensitive files. Finally, the following request retrieves the contents of flag.txt:
curl "http://localhost:3000/api/files?file=../flag.txt"
The same method applies to system files like /etc/passwd, provided the Node process has the necessary permissions.
The Root Cause: Missing Input Validation
The API handler uses path.join() to construct the full file path without checking for sequences like ../. Rigorous input sanitization—paired with strict directory access controls—is essential to prevent such attacks. Next.js developers are urged to audit similar endpoints in their projects.
Source: DEV Community. Editorial synthesis assisted by AI — TechnoExpress.