GHSA-g77x-44xx-532m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g77x-44xx-532m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-g77x-44xx-532m/GHSA-g77x-44xx-532m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g77x-44xx-532m
- Aliases
- Related
- Published
- 2024-10-14T19:45:21Z
- Modified
- 2024-11-08T18:55:47Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- Denial of Service condition in Next.js image optimization
- Details
-
Impact
The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.
Not affected: - The
next.config.jsfile is configured withimages.unoptimizedset totrueorimages.loaderset to a non-default value. - The Next.js application is hosted on Vercel.Patches
This issue was fully patched in Next.js
14.2.7. We recommend that users upgrade to at least this version.Workarounds
Ensure that the
next.config.jsfile has eitherimages.unoptimized,images.loaderorimages.loaderFileassigned.Credits
Brandon Dahler (brandondahler), AWS Dimitrios Vlastaras
- Database specific
{ "nvd_published_at": "2024-10-14T18:15:05Z", "cwe_ids": [ "CWE-674" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-10-14T19:45:21Z" }- References
Affected packages
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next