CVE-2024-47831 Overview
CVE-2024-47831 is a Denial of Service (DoS) vulnerability in Vercel's Next.js framework affecting the image optimization feature. This vulnerability allows attackers to cause excessive CPU consumption through specially crafted requests to the image optimization endpoint, potentially rendering affected applications unresponsive.
Critical Impact
Attackers can exploit the image optimization feature to cause excessive CPU consumption, leading to service degradation or complete denial of service for Next.js applications.
Affected Products
- Vercel Next.js versions 10.x, 11.x, 12.x, 13.x
- Vercel Next.js 14.x versions prior to 14.2.7
- Self-hosted Next.js applications with default image optimization configuration
Discovery Timeline
- 2024-10-14 - CVE-2024-47831 published to NVD
- 2024-11-08 - Last updated in NVD database
Technical Details for CVE-2024-47831
Vulnerability Analysis
This vulnerability resides in the image optimization feature of Next.js, a popular React framework used for building web applications. The flaw is classified under CWE-674 (Uncontrolled Recursion), indicating that the image processing logic can be manipulated to consume excessive CPU resources through recursive or computationally intensive operations.
The vulnerability specifically targets the built-in image optimization endpoint that Next.js provides by default. When an attacker sends malicious requests to this endpoint, the server enters a state of excessive computation, consuming available CPU resources and degrading performance for legitimate users. In severe cases, this can result in complete service unavailability.
Importantly, applications hosted on Vercel's platform are not affected by this vulnerability, as Vercel implements additional safeguards around image optimization. Similarly, applications that have explicitly disabled automatic image optimization or configured a custom image loader are not vulnerable.
Root Cause
The root cause of this vulnerability lies in uncontrolled recursion (CWE-674) within the image optimization processing pipeline. The image optimization feature fails to properly validate or limit certain processing parameters, allowing attackers to trigger computationally expensive operations that consume excessive CPU resources. This lack of resource constraints enables a single request or series of requests to monopolize server resources.
Attack Vector
The attack is network-based and requires no authentication or user interaction, making it particularly dangerous for publicly accessible Next.js applications. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the image optimization endpoint (/_next/image). The attack does not require any special privileges, allowing anyone with network access to the application to attempt exploitation.
The vulnerability primarily impacts availability—it does not allow for data theft or unauthorized access, but can effectively take down vulnerable applications through resource exhaustion. Self-hosted Next.js applications using default image optimization configurations are most at risk.
Detection Methods for CVE-2024-47831
Indicators of Compromise
- Abnormally high CPU utilization on servers hosting Next.js applications
- Increased response times or timeouts for requests to the /_next/image endpoint
- Unusual spikes in traffic targeting image optimization routes
- Server logs showing repeated requests to image optimization endpoints with unusual parameters
Detection Strategies
- Monitor server CPU metrics for sudden spikes that correlate with requests to image optimization endpoints
- Implement rate limiting and alerting on the /_next/image route to detect potential abuse
- Review application logs for patterns of requests that could indicate exploitation attempts
- Use application performance monitoring (APM) tools to track response times and resource consumption for image-related requests
Monitoring Recommendations
- Set up alerts for CPU utilization thresholds that could indicate a DoS attack in progress
- Implement request logging with detailed information about image optimization requests
- Monitor error rates and timeout occurrences on Next.js application endpoints
- Consider deploying a Web Application Firewall (WAF) with rules to detect and block suspicious image optimization requests
How to Mitigate CVE-2024-47831
Immediate Actions Required
- Upgrade Next.js to version 14.2.7 or later immediately
- Review next.config.js configuration to ensure image optimization settings are secure
- Implement rate limiting on the /_next/image endpoint as an additional protective measure
- Consider temporarily disabling image optimization if an immediate upgrade is not possible
Patch Information
Vercel has released a security patch in Next.js version 14.2.7 that fully addresses this vulnerability. The fix is available in the GitHub commit d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a. Organizations should prioritize upgrading to this version or later to eliminate the vulnerability. For detailed information, refer to the GitHub Security Advisory GHSA-g77x-44xx-532m.
Workarounds
- Set images.unoptimized to true in next.config.js to disable automatic image optimization entirely
- Configure a custom image loader by setting images.loader to a non-default value
- Use images.loaderFile to specify a custom loader implementation
- Migrate to Vercel hosting where additional platform-level protections are in place
# Example next.config.js workaround configuration
# Option 1: Disable image optimization
module.exports = {
images: {
unoptimized: true,
},
}
# Option 2: Use custom loader
module.exports = {
images: {
loader: 'custom',
loaderFile: './my-loader.js',
},
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
