Potential Denial of Service (DoS) Vulnerability in Image Optimization Feature Affects Next.js Versions
CVE-2024-47831

7.5HIGH

Key Information:

Vendor: Vercel
Status: Next.js
Vendor: CVE Published:; 14 October 2024

Summary

Next.js is a widely-used React Framework for building web applications. Certain versions of Next.js, specifically the 10.x to 14.x branches prior to version 14.2.7, contain a vulnerability related to the image optimization feature. This flaw could potentially lead to a Denial of Service (DoS) condition by causing excessive CPU consumption. Users configuring the next.config.js file with images.unoptimized set to true, or using a non-default value for images.loader, or hosting their Next.js application on Vercel are not impacted by this issue. The vulnerability has been addressed in Next.js version 14.2.7. To mitigate risks, it is essential for users to adjust their configuration settings appropriately.

Affected Version(s)

next.js >= 10.0.0, < 14.2.7

References

https://github.com/vercel/next.js/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaef...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 14, 2024