CVE-2021-39178
Last modified
CVE-2021-39178 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. EPSS estimates a 1.14% chance of exploitation in the next 30 days.
Description
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vercel | Next.Js | >= 10.0.0, < 11.1.1 |
References
- https://github.com/vercel/next.js/releases/tag/v11.1.1Patch, Release Notes, Third Party Advisory
- https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7mPatch, Third Party Advisory
- https://github.com/vercel/next.js/releases/tag/v11.1.1Patch, Release Notes, Third Party Advisory
- https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7mPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-39178?
How severe is CVE-2021-39178?
How do I fix CVE-2021-39178?
Are you affected by CVE-2021-39178?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST