CVE-2024-47831 – A vulnerability in Next.js image optimization f... (How to Fix)

Q: What is the severity of CVE-2024-47831?

CVE-2024-47831 has a CVSS score of 5.9 (MEDIUM). A vulnerability in Next.js image optimization feature allows attackers to trigger excessive CPU consumption, leading to potential Denial of Service (DoS). This affects Next.js applications using the default image optimization configuration. Applications with images.unoptimized set to true, using non-default loaders, or hosted on Vercel are not vulnerable.

📋 TL;DR

A vulnerability in Next.js image optimization feature allows attackers to trigger excessive CPU consumption, leading to potential Denial of Service (DoS). This affects Next.js applications using the default image optimization configuration. Applications with images.unoptimized set to true, using non-default loaders, or hosted on Vercel are not vulnerable.

💻 Affected Systems

Products:

Next.js

Versions: 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using default image optimization. Not vulnerable if images.unoptimized is true, images.loader is non-default, or hosted on Vercel.

📦 What is this software?

Next.js by Vercel

View all CVEs affecting Next.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, making the application inaccessible to legitimate users.

🟠

Likely Case

Degraded application performance with intermittent availability issues and increased infrastructure costs.

🟢

If Mitigated

No impact if proper configuration or patching is applied.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending specially crafted requests to trigger the CPU consumption issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.2.7

Vendor Advisory: https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m

Restart Required: Yes

Instructions:

1. Update Next.js to version 14.2.7 or later using npm update next or yarn upgrade next. 2. Restart the application server. 3. Verify the update with npm list next or yarn list next.

🔧 Temporary Workarounds

Disable image optimization

all

Set images.unoptimized to true in next.config.js to bypass the vulnerable component

// In next.config.js
module.exports = {
  images: {
    unoptimized: true
  }
}

Use custom image loader

all

Configure a non-default image loader to avoid the vulnerable code path

// In next.config.js
module.exports = {
  images: {
    loader: 'custom',
    loaderFile: './path/to/loader.js'
  }
}

🧯 If You Can't Patch

Implement rate limiting on image optimization endpoints
Deploy web application firewall (WAF) rules to detect and block malicious image requests

🔍 How to Verify

Check if Vulnerable:

Check next.config.js for images.unoptimized: false and images.loader not set or set to 'default'. Check package.json for Next.js version below 14.2.7.

Check Version:

npm list next | grep next || yarn list next | grep next

Verify Fix Applied:

Verify Next.js version is 14.2.7 or higher using npm list next or yarn list next. Confirm application restarted successfully.

📡 Detection & Monitoring

Log Indicators:

Spike in CPU usage metrics
Increased error rates in image optimization endpoints
Unusual number of image optimization requests

Network Indicators:

High volume of requests to /_next/image* endpoints
Requests with unusual image parameters or sizes

SIEM Query:

source="application_logs" AND (message="CPU spike" OR endpoint="/_next/image*") AND status="500"

📊 Metadata

CVE ID: CVE-2024-47831

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-674

Published: October 14, 2024

Last Updated: November 8, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47831, you might also want to check these: