CVE-2024-47831: Next.js image optimization has Denial of Service condition
First published: Mon Oct 14 2024(Updated: )
### Impact The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. **Not affected:** - The `next.config.js` file is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value. - The Next.js application is hosted on Vercel. ### Patches This issue was fully patched in Next.js `14.2.7`. We recommend that users upgrade to at least this version. ### Workarounds Ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned. #### Credits Brandon Dahler (brandondahler), AWS Dimitrios Vlastaras
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/next | >=10.0.0<14.2.7 | 14.2.7 |
| Vercel Next.js | >=10.0.0<14.2.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g77x-44xx-532m
- alias/CVE-2024-47831
- agent/software-canonical-lookup
- agent/references
- agent/description
- agent/event
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/nvd-api
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/remedy
- package-manager/npm
- vendor/vercel
- canonical/vercel next.js
- version/vercel next.js/10.0.0