Denial of Service condition in Next.js image optimization

Impact The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service DoS condition which could lead to excessive CPU consumption. Not affected: - The next.config.js file is configured with images.unoptimized set to true or images.loader set to...

CVE-2024-47831 Next.js image optimization has Denial of Service condition

Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service DoS condition which could lead to excessive CPU consumption. Neither t...

Next.js Remote Patterns Server-Side Request Forgery

Next.js framework embeds an image optimization component which is enabled by default and allows dynamic resizing when requested. This feature leverages the 'next.config.js' configuration file to ensure that the target host being requested is allowed. When misconfigured, a remote and unauthenticat...

User Interface (UI) Misrepresentation Of Critical Information

next is having User Interface UI Misrepresentation of Critical Information. The vulnerability exists because next.config.js file has images.loader assigned as the default loader configuration, leading to misrepresentation of critical user Information...

Design/Logic Flaw

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface UI Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in...

CVE-2022-23646

CVE-2022-23646 affects Next.js (React framework) versions 10.0.0 through 12.0.x prior to 12.1.0. The issue is UI misrepresentation of critical information when next.config.js defines an images.domains array and the image host in domains allows user-provided SVG; if next.config.js uses a non-defau...

Cross-site Scripting (XSS)

next is vulnerable to cross-site scripting. An attacker is able to inject and execute malicious scirpt via image optimization API if next.config.js file have images.domains array assigned and the image host assigned in images.domains which allows user-provided SVG...

CVE-2021-39178

Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the next.config.js file must have images.domains array assigned and the image host assigned in images.domains mus...

Cross site scripting

Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the next.config.js file must have images.domains array assigned and the image host assigned in images.domains mus...