cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-47831,https://securityvulnerability.io/vulnerability/CVE-2024-47831,Potential Denial of Service (DoS) Vulnerability in Image Optimization Feature Affects Next.js Versions,"Next.js is a widely-used React Framework for building web applications. Certain versions of Next.js, specifically the 10.x to 14.x branches prior to version 14.2.7, contain a vulnerability related to the image optimization feature. This flaw could potentially lead to a Denial of Service (DoS) condition by causing excessive CPU consumption. Users configuring the `next.config.js` file with `images.unoptimized` set to `true`, or using a non-default value for `images.loader`, or hosting their Next.js application on Vercel are not impacted by this issue. The vulnerability has been addressed in Next.js version 14.2.7. To mitigate risks, it is essential for users to adjust their configuration settings appropriately.",Vercel,Next.js,7.5,HIGH,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-10-14T18:15:00.000Z,0
CVE-2024-46982,https://securityvulnerability.io/vulnerability/CVE-2024-46982,Next.js vulnerability: Poisoned cache could expose sensitive data,"A cache poisoning vulnerability exists in the Next.js framework, which is widely used for building full-stack web applications. This vulnerability allows an attacker to send a specially crafted HTTP request that can manipulate the cache of non-dynamic server-side rendered routes. Specifically, it affects routes handled by the pages router when configured incorrectly, enabling the caching of content that should remain uncached. Affected versions, from 13.5.1 to 14.2.9, may inadvertently send a `Cache-Control: s-maxage=1, stale-while-revalidate` header, which may influence upstream Content Delivery Networks (CDNs) to cache responses. The only resolution to mitigate this issue is to upgrade to Next.js versions 13.5.7, 14.2.10, or later. Users are encouraged to apply the patch without delay, as there are no recommended workarounds available.",Vercel,Next.js,7.5,HIGH,0.00044999999227002263,false,,true,false,true,2024-12-14T18:14:01.000Z,true,true,false,,2024-09-17T22:15:00.000Z,8028
CVE-2024-39693,https://securityvulnerability.io/vulnerability/CVE-2024-39693,Denial of Service Condition in Next.js Framework,"A critical Denial of Service (DoS) vulnerability has been identified in Next.js, a widely-used React framework. This bug can lead to a server crash, severely affecting the availability and performance of applications built using this framework. The vulnerability was addressed in Next.js version 13.5 and later. Users are strongly advised to update to the latest version to mitigate the risks associated with this vulnerability. For further details, please refer to the advisory on the Vercel GitHub page.",Vercel,Next.js,7.5,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-10T19:54:10.773Z,0
CVE-2024-34351,https://securityvulnerability.io/vulnerability/CVE-2024-34351,Server-Side Request Forgery (SSRF) vulnerability in Next.js Server Actions,"A vulnerability has been identified in the Next.js framework that allows Server-Side Request Forgery (SSRF) under specific conditions. This flaw arises when the 'Host' header is modified in a self-hosted Next.js environment. Particularly, if the application utilizes Server Actions and those actions perform redirects to relative paths starting with '/', an attacker could exploit this by making requests that seem to originate from the Next.js application server itself. The issue has been addressed and fixed in version 14.1.1 of Next.js.",Vercel,Next.js,7.5,HIGH,0.001019999966956675,false,,true,false,true,2024-05-11T05:39:10.000Z,true,true,true,2024-05-10T11:52:02.702Z,2024-05-14T15:38:00.000Z,17162
CVE-2024-34350,https://securityvulnerability.io/vulnerability/CVE-2024-34350,Next.js resolves response queue poisoning vulnerability in affected versions,"Two new vulnerabilities have been discovered in Next.js, related to response queue poisoning and SSRF on certain Next.js versions. The response queue poisoning vulnerability can manipulate a front-end server and map wrong back-end responses, while the SSRF vulnerability occurs when the server is called by a redirect and takes the host header from the client, potentially leading to an SSRF vulnerability. These vulnerabilities have been patched in Next.js versions 13.5.1 and 14.x to prevent exploitation. No known ransomware cases related to the vulnerabilities have been reported.",Vercel,Next.js,7.5,HIGH,0.0004299999854993075,false,,true,false,false,,,false,false,,2024-05-14T15:38:00.000Z,0
CVE-2024-24828,https://securityvulnerability.io/vulnerability/CVE-2024-24828,Predictable Package Names in pkg Lead to Security Risks,"The pkg tool from Vercel, intended for bundling Node.js projects into executable files, exposes a vulnerability due to its use of a hardcoded directory on Unix systems, specifically `/tmp/pkg/*`. This shared directory lacks uniqueness for package names, making it predictable and susceptible to exploitation. If an attacker gains access to the local system, they can substitute legitimate executables with malicious ones of the same name, which users may unknowingly execute. The pkg tool is deprecated and will not receive patches for this vulnerability. Users are advised to check if their executables rely on native code and utilize the `/tmp/pkg/` directory. Transitioning to actively maintained alternatives, such as Node.js 21’s single executable applications support, is strongly recommended for enhanced security.",vercel,pkg,7.8,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-02-09T22:21:04.933Z,0
CVE-2023-46298,https://securityvulnerability.io/vulnerability/CVE-2023-46298,Denial of Service Vulnerability in Next.js by Vercel,"Next.js prior to version 13.4.20-canary.13 contains a vulnerability due to the absence of a cache-control header, which can lead to empty prefetch responses being cached by Content Delivery Networks (CDNs). This caching behavior may inadvertently cause a denial of service for users attempting to access the same URL via the CDN, resulting in interruptions in service and accessibility issues.",Vercel,Next.js,7.5,HIGH,0.0007099999929778278,false,,false,false,false,,,false,false,,2023-10-22T03:15:00.000Z,0
CVE-2021-43803,https://securityvulnerability.io/vulnerability/CVE-2021-43803,Unexpected server crash in Next.js,"Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.",Vercel,Next.js,7.5,HIGH,0.0030900000128895044,false,,false,false,false,,,false,false,,2021-12-10T00:15:00.000Z,0
CVE-2021-39178,https://securityvulnerability.io/vulnerability/CVE-2021-39178,XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0,"Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.",Vercel,Next.js,7.5,HIGH,0.0006200000061653554,false,,false,false,false,,,false,false,,2021-08-31T00:15:00.000Z,0
CVE-2015-8315,https://securityvulnerability.io/vulnerability/CVE-2015-8315,,"The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a ""regular expression denial of service (ReDoS).""",Vercel,Ms,7.5,HIGH,0.0018400000408291817,false,,false,false,false,,,false,false,,2017-01-23T21:00:00.000Z,0