CVE-2024-47831
published 2024-10-14CVE-2024-47831: Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.74%
49.9th percentile
Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was fully patched in Next.js `14.2.7`. As a workaround, ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 10.0.0 < 14.2.7 | 14.2.7 |
| vercel | next.js | — | — |
| vercel | next.js | >= 10.0.0 < 14.2.7 | 14.2.7 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Denial of Service condition in Next.js image optimization
osv·2024-10-14
CVE-2024-47831 [MEDIUM] Denial of Service condition in Next.js image optimization
Denial of Service condition in Next.js image optimization
### Impact
The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.
**Not affected:**
- The `next.config.js` file is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value.
- The Next.js application is hosted on Vercel.
### Patches
This issue was fully patched in Next.js `14.2.7`. We recommend that users upgrade to at least this version.
### Workarounds
Ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.
#### Credits
Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras
GHSA
Denial of Service condition in Next.js image optimization
ghsa·2024-10-14
CVE-2024-47831 [MEDIUM] CWE-674 Denial of Service condition in Next.js image optimization
Denial of Service condition in Next.js image optimization
### Impact
The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.
**Not affected:**
- The `next.config.js` file is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value.
- The Next.js application is hosted on Vercel.
### Patches
This issue was fully patched in Next.js `14.2.7`. We recommend that users upgrade to at least this version.
### Workarounds
Ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.
#### Credits
Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras
Red Hat
next.js: Next.js image optimization has Denial of Service condition
vendor_redhat·2024-10-14·CVSS 5.9
CVE-2024-47831 [MEDIUM] CWE-674 next.js: Next.js image optimization has Denial of Service condition
next.js: Next.js image optimization has Denial of Service condition
Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was fully patched in Next.js `14.2.7`. As a workaround, ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.
A flaw was found in Next.js. In certain version
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-10-14
Published