CVE-2022-23646
MEDIUMNext.js 10.0.0-12.0.9 - User Interface Misrepresentation via SVG Image Host Configuration
Title source: llmDescription
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.
References (3)
Core 3
Core References
Issue Tracking, Mitigation, Patch, Third Party Advisory x_refsource_confirm
https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/vercel/next.js/pull/34075
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/vercel/next.js/releases/tag/v12.1.0
Scores
CVSS v3
5.9
EPSS
0.0200
EPSS Percentile
78.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-451
Status
published
Products (2)
npm/next
10.0.0 - 12.1.0npm
vercel/next.js
10.0.0 - 12.1.0
Published
Feb 17, 2022
Tracked Since
Feb 18, 2026