next-11.1.2.tgz: 10 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - next-11.1.2.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-11.1.2.tgz

Path to dependency file: /apps/package.json

Path to vulnerable library: /apps/node_modules/next/package.json

Found in HEAD commit: bb1336514e4e78edaf9e780ff4f3756d7ed48ec8

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (next version)	Remediation Available
CVE-2021-44906	High	9.8	minimist-1.2.5.tgz	Transitive	11.1.3-canary.0	❌
CVE-2022-37601	High	9.8	loader-utils-1.2.3.tgz	Transitive	12.0.8-canary.10	❌
CVE-2021-42740	High	9.8	shell-quote-1.7.2.tgz	Transitive	12.0.2-canary.9	❌
CVE-2022-46175	High	8.8	json5-1.0.1.tgz	Transitive	11.1.3-canary.0	❌
CVE-2021-3807	High	7.5	ansi-regex-5.0.0.tgz	Transitive	11.1.3-canary.0	❌
CVE-2022-23646	High	7.5	next-11.1.2.tgz	Direct	12.0.11-canary.10	❌
CVE-2022-37603	High	7.5	loader-utils-1.2.3.tgz	Transitive	12.0.8-canary.10	❌
CVE-2021-43803	High	7.5	next-11.1.2.tgz	Direct	11.1.3-canary.0	❌
CVE-2022-0235	Medium	6.1	node-fetch-2.6.1.tgz	Transitive	11.1.4	❌
CVE-2021-23566	Medium	5.5	nanoid-3.1.25.tgz	Transitive	11.1.3-canary.0	❌

Details

CVE-2021-44906

### Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /apps/package.json

Path to vulnerable library: /apps/node_modules/minimist/package.json

Dependency Hierarchy: - next-11.1.2.tgz (Root Library) - styled-jsx-4.0.1.tgz - loader-utils-1.2.3.tgz - json5-1.0.1.tgz - :x: **minimist-1.2.5.tgz** (Vulnerable Library)

Found in HEAD commit: bb1336514e4e78edaf9e780ff4f3756d7ed48ec8

Found in base branch: develop

### Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (next): 11.1.3-canary.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-37601

### Vulnerable Library - loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /apps/package.json

Path to vulnerable library: /apps/node_modules/loader-utils/package.json

Dependency Hierarchy: - next-11.1.2.tgz (Root Library) - styled-jsx-4.0.1.tgz - :x: **loader-utils-1.2.3.tgz** (Vulnerable Library)

Found in HEAD commit: bb1336514e4e78edaf9e780ff4f3756d7ed48ec8

Found in base branch: develop

### Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (next): 12.0.8-canary.10

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-42740

### Vulnerable Library - shell-quote-1.7.2.tgz

quote and parse shell commands

Library home page: https://registry.npmjs.org/shell-quote/-/shell-quote-1.7.2.tgz

Path to dependency file: /apps/package.json

Path to vulnerable library: /apps/node_modules/shell-quote/package.json

Dependency Hierarchy: - next-11.1.2.tgz (Root Library) - react-dev-overlay-11.1.2.tgz - :x: **shell-quote-1.7.2.tgz** (Vulnerable Library)

Found in HEAD commit: bb1336514e4e78edaf9e780ff4f3756d7ed48ec8

Found in base branch: develop

### Vulnerability Details

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Publish Date: 2021-10-21

URL: CVE-2021-42740

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740

Release Date: 2021-10-21

Fix Resolution (shell-quote): 1.7.3

Direct dependency fix Resolution (next): 12.0.2-canary.9

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-46175

### Vulnerable Library - json5-1.0.1.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz

Path to dependency file: /apps/package.json

Path to vulnerable library: /apps/node_modules/json5/package.json

Dependency Hierarchy: - next-11.1.2.tgz (Root Library) - styled-jsx-4.0.1.tgz - loader-utils-1.2.3.tgz - :x: **json5-1.0.1.tgz** (Vulnerable Library)

Found in HEAD commit: bb1336514e4e78edaf9e780ff4f3756d7ed48ec8

Found in base branch: develop

### Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 1.0.2

Direct dependency fix Resolution (next): 11.1.3-canary.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-3807

### Vulnerable Library - ansi-regex-5.0.0.tgz

Regular expression for matching ANSI escape codes

Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz

Path to dependency file: /apps/package.json

Path to vulnerable library: /apps/node_modules/ansi-regex/package.json

Dependency Hierarchy: - next-11.1.2.tgz (Root Library) - react-dev-overlay-11.1.2.tgz - strip-ansi-6.0.0.tgz - :x: **ansi-regex-5.0.0.tgz** (Vulnerable Library)

Found in HEAD commit: bb1336514e4e78edaf9e780ff4f3756d7ed48ec8

Found in base branch: develop

### Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution (ansi-regex): 5.0.1

Direct dependency fix Resolution (next): 11.1.3-canary.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-23646

### Vulnerable Library - next-11.1.2.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-11.1.2.tgz

Path to dependency file: /apps/package.json

Path to vulnerable library: /apps/node_modules/next/package.json

Dependency Hierarchy: - :x: **next-11.1.2.tgz** (Vulnerable Library)

Found in HEAD commit: bb1336514e4e78edaf9e780ff4f3756d7ed48ec8

Found in base branch: develop

### Vulnerability Details

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.

Publish Date: 2022-02-17

URL: CVE-2022-23646

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23646

Release Date: 2022-02-17

Fix Resolution: 12.0.11-canary.10

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-37603

### Vulnerable Library - loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /apps/package.json

Path to vulnerable library: /apps/node_modules/loader-utils/package.json

Dependency Hierarchy: - next-11.1.2.tgz (Root Library) - styled-jsx-4.0.1.tgz - :x: **loader-utils-1.2.3.tgz** (Vulnerable Library)

Found in HEAD commit: bb1336514e4e78edaf9e780ff4f3756d7ed48ec8

Found in base branch: develop

### Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution (loader-utils): 2.0.4

Direct dependency fix Resolution (next): 12.0.8-canary.10

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-43803

### Vulnerable Library - next-11.1.2.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-11.1.2.tgz

Path to dependency file: /apps/package.json

Path to vulnerable library: /apps/node_modules/next/package.json

Dependency Hierarchy: - :x: **next-11.1.2.tgz** (Vulnerable Library)

Found in HEAD commit: bb1336514e4e78edaf9e780ff4f3756d7ed48ec8

Found in base branch: develop

### Vulnerability Details

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.

Publish Date: 2021-12-10

URL: CVE-2021-43803

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx

Release Date: 2021-12-10

Fix Resolution: 11.1.3-canary.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-0235

### Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /apps/package.json

Path to vulnerable library: /apps/node_modules/node-fetch/package.json

Dependency Hierarchy: - next-11.1.2.tgz (Root Library) - :x: **node-fetch-2.6.1.tgz** (Vulnerable Library)

Found in HEAD commit: bb1336514e4e78edaf9e780ff4f3756d7ed48ec8

Found in base branch: develop

### Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution (node-fetch): 2.6.7

Direct dependency fix Resolution (next): 11.1.4

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-23566

### Vulnerable Library - nanoid-3.1.25.tgz

A tiny (108 bytes), secure URL-friendly unique string ID generator

Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.25.tgz

Path to dependency file: /apps/package.json

Path to vulnerable library: /apps/node_modules/nanoid/package.json

Dependency Hierarchy: - next-11.1.2.tgz (Root Library) - postcss-8.2.15.tgz - :x: **nanoid-3.1.25.tgz** (Vulnerable Library)

Found in HEAD commit: bb1336514e4e78edaf9e780ff4f3756d7ed48ec8

Found in base branch: develop

### Vulnerability Details

The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Publish Date: 2022-01-14

URL: CVE-2021-23566

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-01-14

Fix Resolution (nanoid): 3.1.31

Direct dependency fix Resolution (next): 11.1.3-canary.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

hackariens / nextjs

next-11.1.2.tgz: 10 vulnerabilities (highest severity is: 9.8) - autoclosed #53

Vulnerabilities

Details