Vulnerability Description
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vercel | Next.Js | >= 10.0.0, < 12.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/vercel/next.js/pull/34075Issue TrackingPatchThird Party Advisory
- https://github.com/vercel/next.js/releases/tag/v12.1.0Release NotesThird Party Advisory
- https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mjIssue TrackingMitigationPatch
- https://github.com/vercel/next.js/pull/34075Issue TrackingPatchThird Party Advisory
- https://github.com/vercel/next.js/releases/tag/v12.1.0Release NotesThird Party Advisory
- https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mjIssue TrackingMitigationPatch
FAQ
What is CVE-2022-23646?
CVE-2022-23646 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected,...
How severe is CVE-2022-23646?
CVE-2022-23646 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23646?
Check the references section above for vendor advisories and patch information. Affected products include: Vercel Next.Js.