Vulnerability Description
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vercel | Next.Js | >= 10.0.0, < 11.1.1 |
Related Weaknesses (CWE)
References
- https://github.com/vercel/next.js/releases/tag/v11.1.1PatchRelease NotesThird Party Advisory
- https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7mPatchThird Party Advisory
- https://github.com/vercel/next.js/releases/tag/v11.1.1PatchRelease NotesThird Party Advisory
- https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7mPatchThird Party Advisory
FAQ
What is CVE-2021-39178?
CVE-2021-39178 is a vulnerability with a CVSS score of 7.5 (HIGH). Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config...
How severe is CVE-2021-39178?
CVE-2021-39178 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-39178?
Check the references section above for vendor advisories and patch information. Affected products include: Vercel Next.Js.