Описание
XSS in Image Optimization API for Next.js
Impact
- Affected: All of the following must be true to be affected
- Next.js between version 10.0.0 and 11.1.0
- The
next.config.jsfile hasimages.domainsarray assigned - The image host assigned in
images.domainsallows user-provided SVG
- Not affected: The
next.config.jsfile hasimages.loaderassigned to something other than default - Not affected: Deployments on Vercel are not affected
Patches
Ссылки
Пакеты
Наименование
next
npm
Затронутые версииВерсия исправления
>= 10.0.0, < 11.1.1
11.1.1
Связанные уязвимости
CVSS3: 7.5
nvd
почти 4 года назад
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.