CVE-2021-39178

HIGH

Next.js 10.0.0-11.0.0 - Cross-Site Scripting via SVG in Images Domain Configuration

Title source: llm
STIX 2.1

Description

Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.

References (2)

Core 2
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m
Patch, Release Notes, Third Party Advisory x_refsource_misc
https://github.com/vercel/next.js/releases/tag/v11.1.1

Scores

CVSS v3 7.5
EPSS 0.0114
EPSS Percentile 63.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-79
Status published
Products (2)
npm/next 10.0.0 - 11.1.1npm
vercel/next.js 10.0.0 - 11.1.1
Published Aug 31, 2021
Tracked Since Feb 18, 2026