next
修复版本
10.0.1
14.2.7
CVE-2024-47831 describes a Denial of Service (DoS) vulnerability within the image optimization feature of Next.js. This flaw can trigger excessive CPU consumption, potentially impacting application performance and availability. The vulnerability affects versions of Next.js prior to 14.2.7, and a patch is available in version 14.2.7.
An attacker could exploit this vulnerability by crafting malicious image requests that trigger the image optimization feature to consume excessive CPU resources. This could lead to a denial of service, rendering the Next.js application unresponsive or significantly slowing down its performance. The impact is particularly severe for applications heavily reliant on image optimization or those serving a high volume of image requests. While not directly leading to data exfiltration, the DoS condition can disrupt service and potentially mask other malicious activity.
CVE-2024-47831 was published on 2024-10-14. There is no indication of this vulnerability being actively exploited in the wild. The EPSS score is likely low, given the lack of public exploits and the availability of a straightforward mitigation. No KEV listing is currently available.
漏洞利用状态
EPSS
1.70% (82% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-47831 is to upgrade to Next.js version 14.2.7 or later, which includes the necessary patch. If upgrading is not immediately feasible, a workaround involves configuring the next.config.js file. Specifically, setting images.unoptimized to true or configuring images.loader to a non-default value will disable the vulnerable image optimization feature. After upgrading, confirm the fix by sending a series of image requests and monitoring CPU usage to ensure it remains within acceptable limits.
Actualice Next.js a la versión 14.2.7 o superior. Como alternativa, asegúrese de que el archivo `next.config.js` tenga asignado `images.unoptimized`, `images.loader` o `images.loaderFile`.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-47831 is a Denial of Service vulnerability in Next.js's image optimization feature, allowing attackers to cause excessive CPU usage and potentially disrupt application availability.
You are affected if you are using a version of Next.js prior to 14.2.7 and have not configured images.unoptimized or a non-default images.loader.
Upgrade to Next.js version 14.2.7 or later. Alternatively, configure images.unoptimized to true or set a non-default images.loader in your next.config.js file.
There is currently no evidence of CVE-2024-47831 being actively exploited in the wild.
Refer to the Next.js security advisory for detailed information and updates: [https://github.com/vercel/next.js/security/advisories/GHSA-9937-4947-4947](https://github.com/vercel/next.js/security/advisories/GHSA-9937-4947-4947)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。