CVE-2021-39178
HIGHNext.js 10.0.0-11.0.0 - Cross-Site Scripting via SVG in Images Domain Configuration
Title source: llmDescription
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m
Patch, Release Notes, Third Party Advisory x_refsource_misc
https://github.com/vercel/next.js/releases/tag/v11.1.1
Scores
CVSS v3
7.5
EPSS
0.0114
EPSS Percentile
63.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-79
Status
published
Products (2)
npm/next
10.0.0 - 11.1.1npm
vercel/next.js
10.0.0 - 11.1.1
Published
Aug 31, 2021
Tracked Since
Feb 18, 2026