CVE-2024-47831
Next.js image optimization has Denial of Service condition
In short
Next.js versions before 14.2.7 have a flaw in image optimization that can be exploited to consume excessive CPU and cause the application to become unresponsive. This affects most standard configurations unless image optimization is explicitly disabled or customized.
Technical detail
A recursive call vulnerability (CWE-674) in Next.js image optimization allows remote attackers to trigger unbounded resource consumption through specially crafted image requests, leading to DoS. The vulnerability affects versions 10.x through 14.x before 14.2.7 when using default image optimization settings; applications with images.unoptimized=true, custom loaders, or those hosted on Vercel are not affected.
Summary generated and translated by AI from the official description.
Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was fully patched in Next.js `14.2.7`. As a workaround, ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
vercel · next.jsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →