Improper CSP in Image Optimization API for Next.js
CVE-2022-23646

5.9MEDIUM

Key Information:

Vendor

Vercel
Status
Next.js
Vendor
CVE Published:
17 February 2022

What is CVE-2022-23646?

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

next.js >= 10.0.0, < 12.1.0

References

https://github.com/vercel/next.js/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/vercel/next.js/pull/34075
x_refsource_MISC
https://github.com/vercel/next.js/releases/tag/v12.1.0
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.