CVE-2021-39178
Cross-Site Scripting (XSS) vulnerability in next (npm)
What is CVE-2021-39178 About?
This vulnerability in Next.js versions 10.0.0 to 11.1.0 allows for potential Cross-Site Scripting (XSS) via user-provided SVG images. It occurs when 'images.domains' is configured to allow domains that host user-provided SVG files. Exploitation requires specific Next.js configuration and an attacker to host malicious SVG content.
Affected Software
Technical Details
The vulnerability arises in Next.js applications (versions 10.0.0 to 11.1.0) under specific configurations: when next.config.js explicitly defines an images.domains array, and one of the specified image domains permits the upload and serving of user-provided SVG files. If an attacker can upload a malicious SVG containing embedded scripts (e.g., <script>alert('XSS')</script>) to such a domain, and a Next.js application then displays this image via its optimized image component, the SVG will be rendered directly by the browser. Since SVGs can execute JavaScript, the embedded script will run in the context of the user's browser, leading to a Cross-Site Scripting (XSS) attack. The vulnerability does not affect deployments on Vercel or configurations using a custom images.loader.
What is the Impact of CVE-2021-39178?
Successful exploitation may allow attackers to perform Cross-Site Scripting (XSS) attacks, leading to session hijacking, data theft, defacement, or redirection of users to malicious sites.
What is the Exploitability of CVE-2021-39178?
Exploitation of this vulnerability is of moderate complexity, as it has several prerequisites. The application must be running a specific range of Next.js versions (10.0.0-11.1.0), have images.domains configured, and crucially, one of the domains listed must allow the upload and serving of user-provided SVG files. There are no specific authentication or privilege requirements for merely triggering the XSS in a victim's browser, but the attacker needs a way to upload or inject the malicious SVG into a trusted image domain. This is primarily a remote attack vector, as it targets client-side execution. The risk factors that increase likelihood include allowing untrusted users to upload SVG files and using the default image loader configuration without strict content-type validations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-39178?
Available Upgrade Options
- next
- >10.0.0, <11.1.1 → Upgrade to 11.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/vercel/next.js/releases/tag/v11.1.1
- https://github.com/vercel/next.js/commit/7afc97c5744b38bdf36aa7f87625f438224688aa
- https://nvd.nist.gov/vuln/detail/CVE-2021-39178
- https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m
- https://github.com/vercel/next.js/pull/28620
- https://osv.dev/vulnerability/GHSA-9gr3-7897-pp7m
- https://github.com/vercel/next.js/releases/tag/v11.1.1
- https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m
- https://github.com/vercel/next.js
What are Similar Vulnerabilities to CVE-2021-39178?
Similar Vulnerabilities: CVE-2020-28498 , CVE-2020-7760 , CVE-2023-36660 , CVE-2021-43527 , CVE-2018-1000600
