保護DataHogo
Security Encyclopedia/React & Next.js
mediumCWE-540A05:2021

Source Maps Exposed in Production

JavaScript source map files (.map) are publicly accessible in production, revealing the complete original source code including comments, variable names, and internal logic.

How It Works

Source maps are files that map minified/bundled JavaScript back to the original source code. When left accessible in production, anyone can download them and reconstruct the entire codebase. This reveals business logic, API endpoints, validation rules, authentication flows, hardcoded values, internal comments, and code structure. Attackers use this information to find vulnerabilities faster by reading the actual source instead of reverse-engineering minified code. Next.js generates source maps by default in production builds.

Vulnerable Code
// next.config.js — source maps enabled (default)
module.exports = {
  productionBrowserSourceMaps: true,
  // .map files are now publicly accessible
  // e.g., /_next/static/chunks/pages/admin-a1b2c3.js.map
};
Secure Code
// next.config.js — disable public source maps
module.exports = {
  productionBrowserSourceMaps: false,
  // Upload source maps to error tracking only
  sentry: {
    hideSourceMaps: true,
  },
};

Real-World Example

In 2021, researchers found that several major websites including e-commerce platforms had source maps exposed, revealing complete React component trees, API integration code, and admin panel logic. This gave attackers a roadmap to find and exploit vulnerabilities.

How to Prevent It

  • Set productionBrowserSourceMaps: false in next.config.js
  • Upload source maps to Sentry or similar tools privately, not publicly
  • Add *.map to your CDN's deny rules or Content-Security-Policy
  • Audit deployed files to ensure no .map files are publicly accessible

Affected Technologies

ReactNext.jsNode.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

dangerouslySetInnerHTML Without Sanitization

high

Using React's dangerouslySetInnerHTML with unsanitized user input allows attackers to inject malicious scripts that execute in other users' browsers.

CWE-79A03:2021

Authentication Tokens in localStorage

high

Storing JWT tokens, session tokens, or API keys in localStorage makes them accessible to any JavaScript running on the page, including XSS payloads.

CWE-922A07:2021

__NEXT_DATA__ Secrets Exposure

high

Next.js page props passed through getServerSideProps or getStaticProps leak sensitive data like API keys, database URLs, or internal configuration via the __NEXT_DATA__ script tag.

CWE-200A01:2021

Open CORS in Next.js API Routes

medium

Next.js API routes configured with Access-Control-Allow-Origin: * allow any website to make authenticated cross-origin requests, enabling CSRF-like attacks.

CWE-942A05:2021