Summary
Potential XSS, ReDoS, and dynamic code execution exist, but no conclusive evidence of malicious intent. Classifying as not malware.
Details
The evidences suggest potential vulnerabilities like XSS, ReDoS, and dynamic code execution/import. However, these are potential vulnerabilities and require specific conditions to be exploited. There is no concrete evidence of malicious intent or active exploitation. Next.js is a widely used framework, and these findings are likely areas for improvement rather than deliberate malicious code. Therefore, I classify the package as not malware.
Evidences
| File | Title | Confidence | |
|---|---|---|---|
package/dist/compiled/next-server/app-page-experimental.runtime.prod.js | Potential XSS vulnerability due to javascript: URL | Medium | |
package/dist/compiled/next-server/app-page-experimental.runtime.prod.js | Potential XSS vulnerability due to javascript: URL | Medium | |
package/dist/compiled/next-server/app-page-turbo.runtime.prod.js | javascript: URL Injection | Medium | |
package/dist/compiled/next-server/app-page-turbo.runtime.prod.js | javascript: URL Injection | Medium | |
package/dist/compiled/next-server/app-page.runtime.dev.js | Potential XSS vulnerability due to eval usage | Medium | |
package/dist/compiled/next-server/app-page.runtime.dev.js | Potential XSS vulnerability due to eval usage | Medium | |
package/dist/compiled/next-server/app-page.runtime.prod.js | Potential Arbitrary Code Execution via javascript: URI | Medium | |
package/dist/compiled/next-server/app-page.runtime.prod.js | Potential Arbitrary Code Execution via javascript: URI | Medium | |
package/dist/compiled/next-server/app-route-turbo.runtime.prod.js | Potential Denial of Service via Regular Expression | Medium | |
package/dist/compiled/next-server/app-route.runtime.prod.js | Dynamic Code Execution | Medium | |
package/dist/compiled/next-server/app-route.runtime.prod.js | Dynamic Code Execution | Medium | |
package/dist/compiled/next-server/app-route.runtime.prod.js | Dynamic Import | Medium | |
package/dist/compiled/next-server/app-route.runtime.prod.js | Dynamic Import | Medium |
Analysis performed at Analysis by