QID 981298

QID 981298: Nodejs (npm) Security Update for next (GHSA-9gr3-7897-pp7m)

Security update has been released for next to fix the vulnerability.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

- **Affected:** All of the following must be true to be affected
- Next.js between version 10.0.0 and 11.1.0
- The `next.config.js` file has [`images.domains`](https://nextjs.org/docs/basic-features/image-optimization#domains) array assigned
- The image host assigned in [`images.domains`](https://nextjs.org/docs/basic-features/image-optimization#domains) allows user-provided SVG
- **Not affected**: The `next.config.js` file has [`images.loader`](https://nextjs.org/docs/basic-features/image-optimization#loader) assigned to something other than default
- **Not affected**: Deployments on [Vercel](https://vercel.com) are not affected

  • CVSS V3 rated as High - 6.1 severity.
  • CVSS V2 rated as Medium - 4.3 severity.
    • Solution
    [Next.js v11.1.1](https://github.com/vercel/next.js/releases/tag/v11.1.1)
    Vendor References

    CVEs related to QID 981298

    CVE-2021-39178 |
    Software Advisories
    Advisory ID Software Component Link
    GHSA-9gr3-7897-pp7m next URL Logo github.com/advisories/GHSA-9gr3-7897-pp7m
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].