CVE-2022-23646 Information

Description

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0 Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround change next.config.js to use a different loader configuration other than the default.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj https://github.com/vercel/next.js/releases/tag/v12.1.0 https://github.com/vercel/next.js/pull/34075

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.5