CVE-2022-23646
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.
Published
2022-02-17T21:15:07.883
Last Modified
2024-11-21T06:49:00.657
Status
Modified
Source
[email protected]
Severity
CVSSv3.1: 5.9 (MEDIUM)
CVSSv2 Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
- Access Vector: NETWORK
- Access Complexity: MEDIUM
- Authentication: NONE
- Confidentiality Impact: NONE
- Integrity Impact: PARTIAL
- Availability Impact: NONE
Exploitability Score
8.6
Impact Score
2.9
Weaknesses
Affected Vendors & Products
Type |
Vendor |
Product |
Version/Range |
Vulnerable? |
Application |
vercel
|
next.js
|
< 12.1.0 |
Yes
|
References
-
https://github.com/vercel/next.js/pull/34075
Issue Tracking, Patch, Third Party Advisory
([email protected])
-
https://github.com/vercel/next.js/releases/tag/v12.1.0
Release Notes, Third Party Advisory
([email protected])
-
https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj
Issue Tracking, Mitigation, Patch, Third Party Advisory
([email protected])
-
https://github.com/vercel/next.js/pull/34075
Issue Tracking, Patch, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://github.com/vercel/next.js/releases/tag/v12.1.0
Release Notes, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj
Issue Tracking, Mitigation, Patch, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)