CVE-2023-46298
https://notcve.org/view.php?id=CVE-2023-46298
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Next.js anterior a 13.4.20-canary.13 carece de un encabezado de control de caché y, por lo tanto, a veces una CDN puede almacenar en caché respuestas de captación previa vacías, lo que provoca una denegación de servicio a todos los usuarios que solicitan la misma URL a través de esa CDN. • https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13 https://github.com/vercel/next.js/issues/45301 https://github.com/vercel/next.js/pull/54732 •
CVE-2022-36046 – Unexpected server crash in Next.js version 12.2.3
https://notcve.org/view.php?id=CVE-2022-36046
Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting AND using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-server). Deployments on Vercel ([vercel.com](https://vercel.com/)) are not affected along with similar environments where `next-server` isn't being shared across requests. Next.js es un framework de React que puede proporcionar bloques de construcción para crear aplicaciones web. Todo lo siguiente debe ser cierto para estar afectado por esta CVE: Next.js versión 12.2.3, Node.js versiones superiores a v15.0.0, siendo usado con la salida estricta "unhandledRejection" Y usando next start o un [servidor personalizado](https://nextjs.org/docs/advanced-features/custom-server). • https://github.com/vercel/next.js/releases/tag/v12.2.4 https://github.com/vercel/next.js/security/advisories/GHSA-wff4-fpwg-qqv3 • CWE-248: Uncaught Exception CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVE-2022-23646 – Improper CSP in Image Optimization API for Next.js
https://notcve.org/view.php?id=CVE-2022-23646
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. • https://github.com/vercel/next.js/pull/34075 https://github.com/vercel/next.js/releases/tag/v12.1.0 https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj • CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVE-2022-21721 – DOS Vulnerability in next.js
https://notcve.org/view.php?id=CVE-2022-21721
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected. A patch has been released, `next@12.0.9`, that mitigates this issue. • https://github.com/vercel/next.js/pull/33503 https://github.com/vercel/next.js/releases/tag/v12.0.9 https://github.com/vercel/next.js/security/advisories/GHSA-wr66-vrwm-5g5x •
CVE-2021-43803 – Unexpected server crash in Next.js
https://notcve.org/view.php?id=CVE-2021-43803
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. • https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264 https://github.com/vercel/next.js/pull/32080 https://github.com/vercel/next.js/releases/tag/v11.1.3 https://github.com/vercel/next.js/releases/v12.0.5 https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx • CWE-20: Improper Input Validation •