This module enables integration between Next.js and Drupal for headless CMS functionality.
When installed, the module automatically enables cross-origin resource sharing (CORS) with insecure default settings (Access-Control-Allow-Origin: *), overriding any services.yml CORS configuration. This allows any origin to make cross-origin requests to the site without administrator knowledge or consent.
This vulnerability affects all installations as there are no configuration options to disable this behavior.
There are two steps to resolve the issue: Install the latest version and review your configuration,
- Update the module:
- If you use the Next.js module for Drupal 10 or 11, upgrade to Next.js 2.0.1.
- If you use the Next.js module for Drupal 9 (1.x branch), upgrade to Next.js 1.6.4.
-
After upgrading, review the CORS configuration in
sites/default/services.yml. (See this module's CORS.md for details.). This is especially important if you previously relied on the automatic CORS configuration.
- Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
