CVE-2021-39178

Name of the Vulnerable Software and Affected Versions Next.js versions 10.0.0 through 11.0.0

Description Next.js is a React framework that contains a cross-site scripting issue. For an instance to be affected, the next.config.js file must have the images.domains array assigned, and the image host in images.domains must allow user-provided SVG. The instance is not affected if the next.config.js file has images.loader assigned to something other than default or if it is deployed on Vercel.

Recommendations For Next.js versions 10.0.0 through 11.0.0, update to version 11.1.1 to resolve the issue. As a temporary workaround, consider modifying the next.config.js file to assign images.loader to something other than default, or restrict the use of user-provided SVG in the images.domains array until a patch is applied.