Next.js — открытый JavaScript фреймворк, созданный поверх React.js для создания веб-приложений
Релизный цикл, информация об уязвимостях
График релизов
Количество 33
CVE-2021-39178
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.
GHSA-vxf5-wxwp-m7g9
Open Redirect in Next.js
CVE-2021-37699
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0.
CVE-2020-15242
Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain. The issue is fixed in version 9.5.4.
GHSA-x56p-c8cg-q435
Open Redirect in Next.js versions
CVE-2020-5284
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
GHSA-fq77-7p7r-83rj
Directory Traversal in Next.js
GHSA-qw96-mm2g-c8m7
Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page
CVE-2018-18282
Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page.
GHSA-m34x-wgrh-g897
Directory traversal vulnerability in Next.js
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2021-39178 Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1. | CVSS3: 7.5 | 1% Низкий | почти 4 года назад |
| GHSA-vxf5-wxwp-m7g9 Open Redirect in Next.js | CVSS3: 6.9 | 0% Низкий | почти 4 года назад |
| CVE-2021-37699 Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0. | CVSS3: 6.9 | 0% Низкий | почти 4 года назад |
| CVE-2020-15242 Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain. The issue is fixed in version 9.5.4. | CVSS3: 4.7 | 0% Низкий | больше 4 лет назад |
| GHSA-x56p-c8cg-q435 Open Redirect in Next.js versions | CVSS3: 4.7 | 0% Низкий | больше 4 лет назад |
| CVE-2020-5284 Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2. | CVSS3: 4.4 | 77% Высокий | около 5 лет назад |
| GHSA-fq77-7p7r-83rj Directory Traversal in Next.js | CVSS3: 4.4 | 77% Высокий | около 5 лет назад |
| GHSA-qw96-mm2g-c8m7 Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page | CVSS3: 6.1 | 0% Низкий | больше 6 лет назад |
| CVE-2018-18282 Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page. | CVSS3: 6.1 | 0% Низкий | больше 6 лет назад |
| GHSA-m34x-wgrh-g897 Directory traversal vulnerability in Next.js | CVSS3: 7.5 | 50% Средний | больше 7 лет назад |
Уязвимостей на страницу