CVE-2021-39178 – XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0
https://notcve.org/view.php?id=CVE-2021-39178
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1. • https://github.com/vercel/next.js/releases/tag/v11.1.1 https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-37699 – Open Redirect in Next.js versions below 11.1.0
https://notcve.org/view.php?id=CVE-2021-37699
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0. • https://github.com/vercel/next.js/releases/tag/v11.1.0 https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •