CVE-2024-47831: Denial of Service condition in Next.js image optimization

October 14, 2024 (updated November 8, 2024)

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
The Next.js application is hosted on Vercel.

References

github.com/advisories/GHSA-g77x-44xx-532m
github.com/vercel/next.js
github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a
github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m
nvd.nist.gov/vuln/detail/CVE-2024-47831

Detect and mitigate CVE-2024-47831 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →