CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47831 – Next.js image optimization has Denial of Service condition
https://notcve.org/view.php?id=CVE-2024-47831
Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was fully patched in Next.js `14.2.7`. As a workaround, ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned. • https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m • CWE-674: Uncontrolled Recursion •
CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 1CVE-2023-46298
https://notcve.org/view.php?id=CVE-2023-46298
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Next.js anterior a 13.4.20-canary.13 carece de un encabezado de control de caché y, por lo tanto, a veces una CDN puede almacenar en caché respuestas de captación previa vacías, lo que provoca una denegación de servicio a todos los usuarios que solicitan la misma URL a través de esa CDN. • https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13 https://github.com/vercel/next.js/issues/45301 https://github.com/vercel/next.js/pull/54732 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23646 – Improper CSP in Image Optimization API for Next.js
https://notcve.org/view.php?id=CVE-2022-23646
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. • https://github.com/vercel/next.js/pull/34075 https://github.com/vercel/next.js/releases/tag/v12.1.0 https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj • CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39178 – XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0
https://notcve.org/view.php?id=CVE-2021-39178
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1. • https://github.com/vercel/next.js/releases/tag/v11.1.1 https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-37699 – Open Redirect in Next.js versions below 11.1.0
https://notcve.org/view.php?id=CVE-2021-37699
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0. • https://github.com/vercel/next.js/releases/tag/v11.1.0 https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •