cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-47831,https://securityvulnerability.io/vulnerability/CVE-2024-47831,Potential Denial of Service (DoS) Vulnerability in Image Optimization Feature Affects Next.js Versions,"Next.js is a widely-used React Framework for building web applications. Certain versions of Next.js, specifically the 10.x to 14.x branches prior to version 14.2.7, contain a vulnerability related to the image optimization feature. This flaw could potentially lead to a Denial of Service (DoS) condition by causing excessive CPU consumption. Users configuring the `next.config.js` file with `images.unoptimized` set to `true`, or using a non-default value for `images.loader`, or hosting their Next.js application on Vercel are not impacted by this issue. The vulnerability has been addressed in Next.js version 14.2.7. To mitigate risks, it is essential for users to adjust their configuration settings appropriately.",Vercel,Next.js,7.5,HIGH,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-10-14T18:15:00.000Z,0
CVE-2024-46982,https://securityvulnerability.io/vulnerability/CVE-2024-46982,Next.js vulnerability: Poisoned cache could expose sensitive data,"A cache poisoning vulnerability exists in the Next.js framework, which is widely used for building full-stack web applications. This vulnerability allows an attacker to send a specially crafted HTTP request that can manipulate the cache of non-dynamic server-side rendered routes. Specifically, it affects routes handled by the pages router when configured incorrectly, enabling the caching of content that should remain uncached. Affected versions, from 13.5.1 to 14.2.9, may inadvertently send a `Cache-Control: s-maxage=1, stale-while-revalidate` header, which may influence upstream Content Delivery Networks (CDNs) to cache responses. The only resolution to mitigate this issue is to upgrade to Next.js versions 13.5.7, 14.2.10, or later. Users are encouraged to apply the patch without delay, as there are no recommended workarounds available.",Vercel,Next.js,7.5,HIGH,0.00044999999227002263,false,,true,false,true,2024-12-14T18:14:01.000Z,true,true,false,,2024-09-17T22:15:00.000Z,8028
CVE-2024-39693,https://securityvulnerability.io/vulnerability/CVE-2024-39693,Denial of Service Condition in Next.js Framework,"A critical Denial of Service (DoS) vulnerability has been identified in Next.js, a widely-used React framework. This bug can lead to a server crash, severely affecting the availability and performance of applications built using this framework. The vulnerability was addressed in Next.js version 13.5 and later. Users are strongly advised to update to the latest version to mitigate the risks associated with this vulnerability. For further details, please refer to the advisory on the Vercel GitHub page.",Vercel,Next.js,7.5,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-10T19:54:10.773Z,0
CVE-2024-34351,https://securityvulnerability.io/vulnerability/CVE-2024-34351,Server-Side Request Forgery (SSRF) vulnerability in Next.js Server Actions,"A vulnerability has been identified in the Next.js framework that allows Server-Side Request Forgery (SSRF) under specific conditions. This flaw arises when the 'Host' header is modified in a self-hosted Next.js environment. Particularly, if the application utilizes Server Actions and those actions perform redirects to relative paths starting with '/', an attacker could exploit this by making requests that seem to originate from the Next.js application server itself. The issue has been addressed and fixed in version 14.1.1 of Next.js.",Vercel,Next.js,7.5,HIGH,0.001019999966956675,false,,true,false,true,2024-05-11T05:39:10.000Z,true,true,true,2024-05-10T11:52:02.702Z,2024-05-14T15:38:00.000Z,17162
CVE-2024-34350,https://securityvulnerability.io/vulnerability/CVE-2024-34350,Next.js resolves response queue poisoning vulnerability in affected versions,"Two new vulnerabilities have been discovered in Next.js, related to response queue poisoning and SSRF on certain Next.js versions. The response queue poisoning vulnerability can manipulate a front-end server and map wrong back-end responses, while the SSRF vulnerability occurs when the server is called by a redirect and takes the host header from the client, potentially leading to an SSRF vulnerability. These vulnerabilities have been patched in Next.js versions 13.5.1 and 14.x to prevent exploitation. No known ransomware cases related to the vulnerabilities have been reported.",Vercel,Next.js,7.5,HIGH,0.0004299999854993075,false,,true,false,false,,,false,false,,2024-05-14T15:38:00.000Z,0
CVE-2023-46298,https://securityvulnerability.io/vulnerability/CVE-2023-46298,Denial of Service Vulnerability in Next.js by Vercel,"Next.js prior to version 13.4.20-canary.13 contains a vulnerability due to the absence of a cache-control header, which can lead to empty prefetch responses being cached by Content Delivery Networks (CDNs). This caching behavior may inadvertently cause a denial of service for users attempting to access the same URL via the CDN, resulting in interruptions in service and accessibility issues.",Vercel,Next.js,7.5,HIGH,0.0007099999929778278,false,,false,false,false,,,false,false,,2023-10-22T03:15:00.000Z,0
CVE-2022-36046,https://securityvulnerability.io/vulnerability/CVE-2022-36046,Unexpected server crash in Next.js version 12.2.3,"Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting AND using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-server). Deployments on Vercel ([vercel.com](https://vercel.com/)) are not affected along with similar environments where `next-server` isn't being shared across requests.",Vercel,Next.js,5.3,MEDIUM,0.0007600000244565308,false,,false,false,false,,,false,false,,2022-08-31T18:55:09.000Z,0
CVE-2022-23646,https://securityvulnerability.io/vulnerability/CVE-2022-23646,Improper CSP in Image Optimization API for Next.js,"Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.",Vercel,Next.js,5.9,MEDIUM,0.001829999964684248,false,,false,false,false,,,false,false,,2022-02-17T20:35:12.000Z,0
CVE-2022-21721,https://securityvulnerability.io/vulnerability/CVE-2022-21721,DOS Vulnerability in next.js,"Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected. A patch has been released, `next@12.0.9`, that mitigates this issue. As a workaround, one may ensure `/${locale}/_next/` is blocked from reaching the Next.js instance until it becomes feasible to upgrade.",Vercel,Next.js,5.9,MEDIUM,0.0017099999822676182,false,,false,false,false,,,false,false,,2022-01-28T22:00:17.000Z,0
CVE-2021-43803,https://securityvulnerability.io/vulnerability/CVE-2021-43803,Unexpected server crash in Next.js,"Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.",Vercel,Next.js,7.5,HIGH,0.0030900000128895044,false,,false,false,false,,,false,false,,2021-12-10T00:15:00.000Z,0
CVE-2021-39178,https://securityvulnerability.io/vulnerability/CVE-2021-39178,XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0,"Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.",Vercel,Next.js,7.5,HIGH,0.0006200000061653554,false,,false,false,false,,,false,false,,2021-08-31T00:15:00.000Z,0
CVE-2021-37699,https://securityvulnerability.io/vulnerability/CVE-2021-37699,Open Redirect in Next.js versions below 11.1.0,"Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0.",Vercel,Next.js,6.9,MEDIUM,0.0006200000061653554,false,,false,false,false,,,false,false,,2021-08-12T00:15:00.000Z,0
CVE-2020-15242,https://securityvulnerability.io/vulnerability/CVE-2020-15242,Open Redirect in Next.js,"Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain. The issue is fixed in version 9.5.4.",Vercel,Next.js,4.7,MEDIUM,0.0006200000061653554,false,,false,false,false,,,false,false,,2020-10-08T19:50:12.000Z,0