CVE-2021-39178
published 2021-08-31CVE-2021-39178: Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be…
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.14%
62.6th percentile
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 10.0.0 < 11.1.1 | 11.1.1 |
| vercel | next.js | — | — |
| vercel | next.js | >= 10.0.0 < 11.1.1 | 11.1.1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XSS in Image Optimization API for Next.js
osv·2021-09-01
CVE-2021-39178 [HIGH] XSS in Image Optimization API for Next.js
XSS in Image Optimization API for Next.js
### Impact
- **Affected:** All of the following must be true to be affected
- Next.js between version 10.0.0 and 11.1.0
- The `next.config.js` file has [`images.domains`](https://nextjs.org/docs/basic-features/image-optimization#domains) array assigned
- The image host assigned in [`images.domains`](https://nextjs.org/docs/basic-features/image-optimization#domains) allows user-provided SVG
- **Not affected**: The `next.config.js` file has [`images.loader`](https://nextjs.org/docs/basic-features/image-optimization#loader) assigned to something other than default
- **Not affected**: Deployments on [Vercel](https://vercel.com) are not affected
### Patches
[Next.js v11.1.1](https://github.com/vercel/next.js/releases/tag/v11.1.1)
GHSA
XSS in Image Optimization API for Next.js
ghsa·2021-09-01
CVE-2021-39178 [HIGH] CWE-79 XSS in Image Optimization API for Next.js
XSS in Image Optimization API for Next.js
### Impact
- **Affected:** All of the following must be true to be affected
- Next.js between version 10.0.0 and 11.1.0
- The `next.config.js` file has [`images.domains`](https://nextjs.org/docs/basic-features/image-optimization#domains) array assigned
- The image host assigned in [`images.domains`](https://nextjs.org/docs/basic-features/image-optimization#domains) allows user-provided SVG
- **Not affected**: The `next.config.js` file has [`images.loader`](https://nextjs.org/docs/basic-features/image-optimization#loader) assigned to something other than default
- **Not affected**: Deployments on [Vercel](https://vercel.com) are not affected
### Patches
[Next.js v11.1.1](https://github.com/vercel/next.js/releases/tag/v11.1.1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-08-31
Published