__NEXT_DATA__ Secrets Exposure
Next.js page props passed through getServerSideProps or getStaticProps leak sensitive data like API keys, database URLs, or internal configuration via the __NEXT_DATA__ script tag.
How It Works
In Next.js, data returned from getServerSideProps or getStaticProps is serialized into a __NEXT_DATA__ JSON object embedded in the HTML as a script tag. This data is visible to anyone who views the page source. Developers often fetch data server-side and accidentally pass the entire response object — including API keys, internal URLs, user tokens, or database connection strings — as page props. Even if the UI only displays a subset of the data, the full object is exposed in __NEXT_DATA__.
export async function getServerSideProps() {
const res = await fetch('https://api.internal.com/users', {
headers: { 'X-API-Key': process.env.INTERNAL_API_KEY }
});
const data = await res.json();
// Entire response including internal fields passed to client
return { props: { data } };
}export async function getServerSideProps() {
const res = await fetch('https://api.internal.com/users', {
headers: { 'X-API-Key': process.env.INTERNAL_API_KEY }
});
const data = await res.json();
// Only pass the fields the UI actually needs
const safeData = data.map(u => ({
id: u.id, name: u.name, avatar: u.avatar
}));
return { props: { users: safeData } };
}Real-World Example
In 2022, security researchers found multiple Next.js applications leaking Stripe secret keys, database connection strings, and internal API tokens through __NEXT_DATA__. One e-commerce site exposed its Stripe secret key, which could have been used to issue refunds or access payment data.
How to Prevent It
- Only return the specific fields needed by the UI in page props
- Never pass entire API responses or database records as props
- Audit __NEXT_DATA__ in production by viewing page source
- Use Next.js App Router with Server Components to avoid serializing sensitive data
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
dangerouslySetInnerHTML Without Sanitization
highUsing React's dangerouslySetInnerHTML with unsanitized user input allows attackers to inject malicious scripts that execute in other users' browsers.
Authentication Tokens in localStorage
highStoring JWT tokens, session tokens, or API keys in localStorage makes them accessible to any JavaScript running on the page, including XSS payloads.
Source Maps Exposed in Production
mediumJavaScript source map files (.map) are publicly accessible in production, revealing the complete original source code including comments, variable names, and internal logic.
Open CORS in Next.js API Routes
mediumNext.js API routes configured with Access-Control-Allow-Origin: * allow any website to make authenticated cross-origin requests, enabling CSRF-like attacks.