Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Url parameter not allowed after nextjs upgrade from 13.4.12 to 13.5.11 due to CVE-2025-29927 #77882

Open
frankda opened this issue Apr 7, 2025 · 0 comments
Open

Url parameter not allowed after nextjs upgrade from 13.4.12 to 13.5.11 due to CVE-2025-29927 #77882

frankda opened this issue Apr 7, 2025 · 0 comments
Labels
Image (next/image) Related to Next.js Image Optimization.

Comments

@frankda
Copy link

frankda commented Apr 7, 2025

Link to the code that reproduces this issue

https://stackblitz.com/edit/stackblitz-starters-aaa2rwkz?description=The%20React%20framework%20for%20production&file=app%2Fpage.tsx,next.config.js,package.json&title=Next.js%20Starter

To Reproduce

1 Setup nextjs 13.5.11 project
2 Config next.config.js with image setting

  images: {
    remotePatterns: [
      {
        protocol: 'https',
        hostname: '**',
        port: '',
        pathname: '**',
      },
    ],
  },

3 At any pages, add these two images

      <Image
        width="100"
        height="100"
        src="https://www.vodafone.com.au/images/devices/apple/iphone-15-pro-max/iphone-15-pro-max-natural-titanium-feature1-m.jpg"
        alt="test"
      />

      <Image
        width="100"
        height="100"
        src="https://letsenhance.io/static/73136da51c245e80edc6ccfe44888a99/1015f/MainBefore.jpg"
        alt="test"
      />

The first image doesn't load

Current vs. Expected behavior

Current: get Url parameter not allowed response in image request
Expect: get image correctly

Provide environment information

Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 24.3.0: Thu Jan  2 20:24:06 PST 2025; root:xnu-11215.81.4~3/RELEASE_ARM64_T8103
Binaries:
  Node: 18.18.1
  npm: 9.8.1
  Yarn: 1.22.19
  pnpm: 9.5.0
Relevant Packages:
  next: 13.5.11
  eslint-config-next: 13.4.12
  react: 18.2.0
  react-dom: 18.2.0
  typescript: 4.9.5
Next.js Config:
  output: N/A

Which area(s) are affected? (Select all that apply)

Image (next/image)

Which stage(s) are affected? (Select all that apply)

next dev (local), next start (local), Other (Deployed)

Additional context

In nextjs 13.4.12, we are using custom server and deployed our project in AWS Lambda. All images load fine. After upgrade to 13.5.11 because of middleware security issue , none of images can load.

Due to the cost of refactoring, we haven't had the chance to upgrade to Next.js 15, but we expect next/image to behave consistently in version 13
@github-actions github-actions bot added the Image (next/image) Related to Next.js Image Optimization. label Apr 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Image (next/image) Related to Next.js Image Optimization.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@frankda