CVE-2021-39178: 
JavaScript vulnerability analysis and mitigation

Next.js, a React framework, was found to contain a cross-site scripting (XSS) vulnerability affecting versions between 10.0.0 and 11.0.0. The vulnerability was discovered and disclosed on August 30, 2021, and was assigned CVE-2021-39178. For an instance to be vulnerable, specific conditions must be met: the next.config.js file must have images.domains array assigned, and the image host assigned in images.domains must allow user-provided SVG (GitHub Advisory, NVD).

The vulnerability is specifically related to the Image Optimization API in Next.js. The CVSS v3.1 base score was rated as 6.1 MEDIUM by NVD and 7.5 HIGH by GitHub, indicating a significant security risk. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). Instances where the next.config.js file has images.loader assigned to something other than default or deployments on Vercel are not affected by this vulnerability (NVD).

The vulnerability could allow attackers to execute cross-site scripting attacks through the Image Optimization API when specific configuration conditions are met. This could potentially lead to unauthorized access to user data or execution of malicious code in the context of the affected web application (GitHub Advisory).

The vulnerability was patched in Next.js version 11.1.1. Users are advised to upgrade to this version or later. For those unable to upgrade immediately, two workarounds are available: either assign the images.loader to something other than default in the next.config.js file, or deploy the application on Vercel, as Vercel deployments are not affected by this vulnerability (GitHub Advisory, Next.js Release).