Skip to content

XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0

Moderate
styfle published GHSA-9gr3-7897-pp7m Aug 30, 2021

Package

npm next (npm)

Affected versions

10.0.0 <= 11.1.0

Patched versions

11.1.1

Description

Impact

  • Affected: All of the following must be true to be affected
    • Next.js between version 10.0.0 and 11.1.0
    • The next.config.js file has images.domains array assigned
    • The image host assigned in images.domains allows user-provided SVG
  • Not affected: The next.config.js file has images.loader assigned to something other than default
  • Not affected: Deployments on Vercel are not affected

Patches

Next.js v11.1.1

Severity

Moderate

CVE ID

CVE-2021-39178

Weaknesses