Next.js Cross-Site Scripting Vulnerability in BeforeInteractive Scripts

A cross-site scripting vulnerability has been identified in Next.js, a React framework for full-stack web applications. This issue affects versions 13.0.0 prior to 15.5.16 and 16.0.0 prior to 16.2.5. The vulnerability arises when applications use beforeInteractive scripts with untrusted content, allowing attacker-controlled input to escape the intended script context and execute arbitrary JavaScript in a user's browser. The problem stems from serialized script content not being properly escaped before being added to the document.

Impact

Exploitation allows for cross-site scripting, where an attacker can execute arbitrary JavaScript in the context of the user's browser.

Remediation

Users can upgrade to Next.js versions 15.5.16 or 16.2.5, where this vulnerability is fixed. If an immediate upgrade is not possible, it is advised to avoid passing untrusted data into beforeInteractive scripts or to sanitize or escape the content before embedding it.