Описание
Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the next.config.js file that is configured with images.unoptimized set to true or images.loader set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was fully patched in Next.js 14.2.7. As a workaround, ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.
A flaw was found in Next.js. In certain versions, a vulnerability in the image optimization feature allows for a potential Denial of Service (DoS) condition, which could lead to excessive CPU consumption. Neither the next.config.js file that is configured with images.unoptimized set to true or images.loader set to a non-default value nor the Next.js application hosted on Vercel is affected.
Отчет
This Next.js image optimization vulnerability is rated as moderate rather than important because it primarily impacts application availability and only under specific configurations. The risk is confined to setups where the default image optimization settings are in place, while applications hosted on Vercel or configured with images.unoptimized or custom images.loader settings are unaffected.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | firefox | Not affected | ||
| Red Hat Enterprise Linux 8 | firefox | Not affected | ||
| Red Hat Enterprise Linux 8 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 9 | dotnet7.0 | Not affected | ||
| Red Hat Enterprise Linux 9 | firefox | Not affected | ||
| Red Hat Enterprise Linux 9 | firefox:flatpak/firefox | Not affected | ||
| Red Hat Enterprise Linux 9 | thunderbird | Not affected | ||
| Red Hat Enterprise Linux 9 | thunderbird:flatpak/thunderbird | Not affected | ||
| Red Hat Trusted Artifact Signer | rhtas/rekor-search-ui-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.9 Medium
CVSS3
Связанные уязвимости
Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was fully patched in Next.js `14.2.7`. As a workaround, ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.
Denial of Service condition in Next.js image optimization
Уязвимость программной платформы создания веб-приложений Next.js, связанная с неконтролируемой рекурсией. позволяющая нарушителю вызывать отказ в обслуживании
EPSS
5.9 Medium
CVSS3