Information Disclosure via X-Nextjs-Matched-Path Header
Description
The 'X-Nextjs-Matched-Path' header indicates the specific routing path or page that Next.js has matched for a given request. By disclosing this information, attackers may learn about the internal structure of your application’s routing logic or discover hidden endpoints. Such insight could enable malicious actors to target particular routes more efficiently, exploit potential misconfigurations, or manipulate routing parameters to bypass access controls. Ultimately, exposing matched path details increases the overall attack surface and helps attackers strategize more refined exploits against specific Next.js pages or frameworks.
Remediation
Remove or mask the 'X-Nextjs-Matched-Path' header in production by adjusting Next.js server configurations, build settings, or any reverse proxies/CDNs so that routing details are not leaked to clients. Keep your Next.js application and dependencies up to date with the latest security patches. If possible, employ a Web Application Firewall (WAF) or intrusion detection system to monitor for suspicious traffic that seeks to exploit routing logic. Regularly audit your server responses and logs to ensure that no sensitive or internal routing details are being disclosed and that unauthorized users cannot glean insights into your application’s structure.
References
https://nextjs.org/docs/routing/introductionhttps://owasp.org/www-community/attacks/Information_exposureSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.4
5.4