Plateforme
nodejs
Composant
next
Corrigé dans
10.0.1
14.2.7
CVE-2024-47831 describes a Denial of Service (DoS) vulnerability within the image optimization feature of Next.js. This flaw can trigger excessive CPU consumption, potentially impacting application performance and availability. The vulnerability affects versions of Next.js prior to 14.2.7, and a patch is available in version 14.2.7.
An attacker could exploit this vulnerability by crafting malicious image requests that trigger the image optimization feature to consume excessive CPU resources. This could lead to a denial of service, rendering the Next.js application unresponsive or significantly slowing down its performance. The impact is particularly severe for applications heavily reliant on image optimization or those serving a high volume of image requests. While not directly leading to data exfiltration, the DoS condition can disrupt service and potentially mask other malicious activity.
CVE-2024-47831 was published on 2024-10-14. There is no indication of this vulnerability being actively exploited in the wild. The EPSS score is likely low, given the lack of public exploits and the availability of a straightforward mitigation. No KEV listing is currently available.
Statut de l'Exploit
EPSS
1.70% (percentile 82%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-47831 is to upgrade to Next.js version 14.2.7 or later, which includes the necessary patch. If upgrading is not immediately feasible, a workaround involves configuring the next.config.js file. Specifically, setting images.unoptimized to true or configuring images.loader to a non-default value will disable the vulnerable image optimization feature. After upgrading, confirm the fix by sending a series of image requests and monitoring CPU usage to ensure it remains within acceptable limits.
Actualice Next.js a la versión 14.2.7 o superior. Como alternativa, asegúrese de que el archivo `next.config.js` tenga asignado `images.unoptimized`, `images.loader` o `images.loaderFile`.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-47831 is a Denial of Service vulnerability in Next.js's image optimization feature, allowing attackers to cause excessive CPU usage and potentially disrupt application availability.
You are affected if you are using a version of Next.js prior to 14.2.7 and have not configured images.unoptimized or a non-default images.loader.
Upgrade to Next.js version 14.2.7 or later. Alternatively, configure images.unoptimized to true or set a non-default images.loader in your next.config.js file.
There is currently no evidence of CVE-2024-47831 being actively exploited in the wild.
Refer to the Next.js security advisory for detailed information and updates: [https://github.com/vercel/next.js/security/advisories/GHSA-9937-4947-4947](https://github.com/vercel/next.js/security/advisories/GHSA-9937-4947-4947)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.