Skip to content

XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0

Moderate
styfle published GHSA-9gr3-7897-pp7m Aug 30, 2021

Package

npm next (npm)

Affected versions

10.0.0 <= 11.1.0

Patched versions

11.1.1

Description

Impact

  • Affected: All of the following must be true to be affected
    • Next.js between version 10.0.0 and 11.1.0
    • The next.config.js file has images.domains array assigned
    • The image host assigned in images.domains allows user-provided SVG
  • Not affected: The next.config.js file has images.loader assigned to something other than default
  • Not affected: Deployments on Vercel are not affected

Patches

Next.js v11.1.1

Severity

Moderate

CVE ID

CVE-2021-39178

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy