ZEIT Next.js prior to 2.4.1 has directory traversal under the /_next and /static request namespace, allowing malicious users to obtain sensitive information.
zeit next.js