{"id":"CVE-2021-39178","details":"Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.","aliases":["GHSA-9gr3-7897-pp7m"],"modified":"2026-04-10T04:37:01.433521Z","published":"2021-08-31T00:15:07.203Z","related":["GHSA-9gr3-7897-pp7m"],"references":[{"type":"FIX","url":"https://github.com/vercel/next.js/releases/tag/v11.1.1"},{"type":"FIX","url":"https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vercel/next.js","events":[{"introduced":"118ab7992bc8f7a7e5a7bb996510d9b56ffe4f68"},{"fixed":"804971fd9a49dfd009f7339dd8bf4bc32e6eb02c"}],"database_specific":{"versions":[{"introduced":"10.0.0"},{"fixed":"11.1.1"}]}}],"versions":["v10.0.0","v10.0.1","v10.0.1-canary.0","v10.0.1-canary.1","v10.0.1-canary.2","v10.0.1-canary.3","v10.0.1-canary.4","v10.0.1-canary.5","v10.0.1-canary.6","v10.0.1-canary.7","v10.0.10-canary.0","v10.0.10-canary.1","v10.0.10-canary.10","v10.0.10-canary.11","v10.0.10-canary.12","v10.0.10-canary.13","v10.0.10-canary.14","v10.0.10-canary.2","v10.0.10-canary.3","v10.0.10-canary.4","v10.0.10-canary.5","v10.0.10-canary.6","v10.0.10-canary.7","v10.0.10-canary.8","v10.0.10-canary.9","v10.0.2","v10.0.2-canary.0","v10.0.2-canary.1","v10.0.2-canary.10","v10.0.2-canary.11","v10.0.2-canary.12","v10.0.2-canary.13","v10.0.2-canary.14","v10.0.2-canary.15","v10.0.2-canary.16","v10.0.2-canary.17","v10.0.2-canary.18","v10.0.2-canary.19","v10.0.2-canary.2","v10.0.2-canary.20","v10.0.2-canary.3","v10.0.2-canary.4","v10.0.2-canary.5","v10.0.2-canary.6","v10.0.2-canary.7","v10.0.2-canary.8","v10.0.2-canary.9","v10.0.3","v10.0.3-canary.0","v10.0.3-canary.1","v10.0.3-canary.2","v10.0.3-canary.3","v10.0.4","v10.0.4-canary.0","v10.0.4-canary.1","v10.0.4-canary.10","v10.0.4-canary.2","v10.0.4-canary.3","v10.0.4-canary.4","v10.0.4-canary.5","v10.0.4-canary.6","v10.0.4-canary.7","v10.0.4-canary.8","v10.0.4-canary.9","v10.0.5","v10.0.5-canary.0","v10.0.5-canary.1","v10.0.5-canary.10","v10.0.5-canary.11","v10.0.5-canary.12","v10.0.5-canary.2","v10.0.5-canary.3","v10.0.5-canary.4","v10.0.5-canary.5","v10.0.5-canary.6","v10.0.5-canary.7","v10.0.5-canary.8","v10.0.5-canary.9","v10.0.6","v10.0.6-canary.0","v10.0.6-canary.1","v10.0.6-canary.10","v10.0.6-canary.11","v10.0.6-canary.12","v10.0.6-canary.2","v10.0.6-canary.3","v10.0.6-canary.4","v10.0.6-canary.5","v10.0.6-canary.6","v10.0.6-canary.7","v10.0.6-canary.8","v10.0.6-canary.9","v10.0.7","v10.0.7-canary.0","v10.0.7-canary.1","v10.0.7-canary.2","v10.0.7-canary.3","v10.0.7-canary.4","v10.0.7-canary.5","v10.0.7-canary.6","v10.0.7-canary.7","v10.0.7-canary.8","v10.0.8","v10.0.8-canary.0","v10.0.8-canary.1","v10.0.8-canary.10","v10.0.8-canary.11","v10.0.8-canary.12","v10.0.8-canary.13","v10.0.8-canary.14","v10.0.8-canary.15","v10.0.8-canary.16","v10.0.8-canary.17","v10.0.8-canary.2","v10.0.8-canary.3","v10.0.8-canary.4","v10.0.8-canary.5","v10.0.8-canary.6","v10.0.8-canary.7","v10.0.8-canary.8","v10.0.8-canary.9","v10.0.9","v10.0.9-canary.0","v10.0.9-canary.1","v10.0.9-canary.2","v10.0.9-canary.3","v10.0.9-canary.4","v10.0.9-canary.5","v10.0.9-canary.6","v10.0.9-canary.7","v10.0.9-canary.8","v10.1.0","v10.1.1","v10.1.1-canary.0","v10.1.2","v10.1.2-canary.0","v10.1.3","v10.1.3-canary.0","v10.1.3-canary.1","v10.1.3-canary.2","v10.1.4-canary.0","v10.1.4-canary.1","v10.1.4-canary.10","v10.1.4-canary.11","v10.1.4-canary.12","v10.1.4-canary.13","v10.1.4-canary.14","v10.1.4-canary.15","v10.1.4-canary.16","v10.1.4-canary.17","v10.1.4-canary.18","v10.1.4-canary.2","v10.1.4-canary.3","v10.1.4-canary.4","v10.1.4-canary.5","v10.1.4-canary.6","v10.1.4-canary.7","v10.1.4-canary.8","v10.1.4-canary.9","v10.2.0","v10.2.1","v10.2.1-canary.0","v10.2.1-canary.1","v10.2.1-canary.10","v10.2.1-canary.11","v10.2.1-canary.12","v10.2.1-canary.2","v10.2.1-canary.3","v10.2.1-canary.4","v10.2.1-canary.5","v10.2.1-canary.6","v10.2.1-canary.7","v10.2.1-canary.8","v10.2.1-canary.9","v10.2.2","v10.2.2-canary.0","v10.2.2-canary.1","v10.2.3","v10.2.3-canary.0","v10.2.3-canary.1","v10.2.4-canary.0","v10.2.4-canary.1","v10.2.4-canary.10","v10.2.4-canary.11","v10.2.4-canary.12","v10.2.4-canary.13","v10.2.4-canary.14","v10.2.4-canary.15","v10.2.4-canary.16","v10.2.4-canary.17","v10.2.4-canary.18","v10.2.4-canary.19","v10.2.4-canary.2","v10.2.4-canary.3","v10.2.4-canary.4","v10.2.4-canary.5","v10.2.4-canary.6","v10.2.4-canary.7","v10.2.4-canary.8","v10.2.4-canary.9","v11.0.0","v11.0.1","v11.0.1-canary.0","v11.0.1-canary.1","v11.0.1-canary.2","v11.0.1-canary.3","v11.0.1-canary.4","v11.0.1-canary.5","v11.0.1-canary.6","v11.0.1-canary.7","v11.0.1-canary.8","v11.0.2-canary.0","v11.0.2-canary.1","v11.0.2-canary.10","v11.0.2-canary.11","v11.0.2-canary.12","v11.0.2-canary.13","v11.0.2-canary.14","v11.0.2-canary.15","v11.0.2-canary.16","v11.0.2-canary.17","v11.0.2-canary.18","v11.0.2-canary.19","v11.0.2-canary.2","v11.0.2-canary.20","v11.0.2-canary.21","v11.0.2-canary.22","v11.0.2-canary.23","v11.0.2-canary.24","v11.0.2-canary.25","v11.0.2-canary.26","v11.0.2-canary.27","v11.0.2-canary.28","v11.0.2-canary.29","v11.0.2-canary.3","v11.0.2-canary.30","v11.0.2-canary.31","v11.0.2-canary.4","v11.0.2-canary.5","v11.0.2-canary.6","v11.0.2-canary.7","v11.0.2-canary.8","v11.0.2-canary.9","v11.1.0","v11.1.1-canary.0","v11.1.1-canary.1","v11.1.1-canary.10","v11.1.1-canary.11","v11.1.1-canary.12","v11.1.1-canary.13","v11.1.1-canary.14","v11.1.1-canary.15","v11.1.1-canary.16","v11.1.1-canary.17","v11.1.1-canary.18","v11.1.1-canary.19","v11.1.1-canary.2","v11.1.1-canary.3","v11.1.1-canary.4","v11.1.1-canary.5","v11.1.1-canary.6","v11.1.1-canary.7","v11.1.1-canary.8","v11.1.1-canary.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39178.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}