CVE-2021-39178 - OpenCVE

Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Vercel	Next.js

Configuration 1 [-]

cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/vercel/next.js/releases/tag/v11.1.1
https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-08-30T23:55:09

Updated: 2024-08-04T01:58:18.141Z

Reserved: 2021-08-16T00:00:00

Link: CVE-2021-39178

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-08-31T00:15:07.203

Modified: 2021-09-08T13:26:41.323

Link: CVE-2021-39178

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "next.js", "vendor": "vercel", "versions": [{"status": "affected", "version": ">= 10.0.0, < 11.1.1"}]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-30T23:55:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/vercel/next.js/releases/tag/v11.1.1"}], "source": {"advisory": "GHSA-9gr3-7897-pp7m", "discovery": "UNKNOWN"}, "title": "XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39178", "STATE": "PUBLIC", "TITLE": "XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "next.js", "version": {"version_data": [{"version_value": ">= 10.0.0, < 11.1.1"}]}}]}, "vendor_name": "vercel"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m", "refsource": "CONFIRM", "url": "https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m"}, {"name": "https://github.com/vercel/next.js/releases/tag/v11.1.1", "refsource": "MISC", "url": "https://github.com/vercel/next.js/releases/tag/v11.1.1"}]}, "source": {"advisory": "GHSA-9gr3-7897-pp7m", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:58:18.141Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vercel/next.js/releases/tag/v11.1.1"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-39178", "datePublished": "2021-08-30T23:55:09", "dateReserved": "2021-08-16T00:00:00", "dateUpdated": "2024-08-04T01:58:18.141Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7C8D2793-2A8B-45B5-867F-A68C934B5A91", "versionEndExcluding": "11.1.1", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1."}, {"lang": "es", "value": "Next.js es un framework de React. Las versiones de Next.js entre 10.0.0 y 11.0.0 contienen una vulnerabilidad de tipo cross-site scripting. Para que una instancia este afectada por la vulnerabilidad, el archivo \"next.config.js\" debe tener asignado el array \"images.domains\" y el host de im\u00e1genes asignado en \"images.domains\" debe permitir el SVG proporcionado por el usuario. Si el archivo \"next.config.js\" tiene asignado \"images.loader\" a algo distinto de lo predeterminado o la instancia est\u00e1 desplegada en Vercel, la instancia no est\u00e1 afectada por la vulnerabilidad. La vulnerabilidad est\u00e1 parcheada en versi\u00f3n 11.1.1 de Next.js"}], "id": "CVE-2021-39178", "lastModified": "2021-09-08T13:26:41.323", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-08-31T00:15:07.203", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/vercel/next.js/releases/tag/v11.1.1"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}