Styfle

Name of the Vulnerable Software and Affected Versions: Undici versions prior to 5.29.0 Undici versions prior to 6.21.2 Undici versions prior to 7.5.0 Description: The issue affects applications that use Undici to implement a webhook-like system. If an attacker sets up a server with an invalid certificate and forces the application to call the webhook repeatedly, it can cause a memory leak. Recommendations: For versions prior to 5.29.0, update to version 5.29.0 or later. For versions prior to 6.21.2, update to version 6.21.2 or later. For versions prior to 7.5.0, update to version 7.5.0 or later. As a temporary workaround, avoid calling a webhook repeatedly if the webhook fails.

**Name of the Vulnerable Software and Affected Versions** Next.js versions 10.0.0 through 12.1.0 **Description** Next.js is a React framework vulnerable to User Interface (UI) Misrepresentation of Critical Information. To be affected, the `next.config.js` file must have an `images.domains` array assigned, and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. **Recommendations** For Next.js versions 10.0.0 through 12.0.10, update to version 12.1.0 to resolve the issue. As a temporary workaround for versions 10.0.0 through 12.0.10, change `next.config.js` to use a different `loader configuration` other than the default, for example, by setting `images.loader` to 'imgix' or 'custom'.

**Name of the Vulnerable Software and Affected Versions** Next.js versions 10.0.0 through 11.0.0 **Description** Next.js is a React framework that contains a cross-site scripting issue. For an instance to be affected, the `next.config.js` file must have the `images.domains` array assigned, and the image host in `images.domains` must allow user-provided SVG. The instance is not affected if the `next.config.js` file has `images.loader` assigned to something other than default or if it is deployed on Vercel. **Recommendations** For Next.js versions 10.0.0 through 11.0.0, update to version 11.1.1 to resolve the issue. As a temporary workaround, consider modifying the `next.config.js` file to assign `images.loader` to something other than default, or restrict the use of user-provided SVG in the `images.domains` array until a patch is applied.