XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0
Next.js versions 10.0.0 to 11.0.0 allow attackers to inject malicious code through SVG images when the image optimization API is enabled with certain domain configurations. If a website allows users to upload or reference SVG files from configured image domains, attackers can execute arbitrary JavaScript in visitors' browsers.
Cross-site scripting (XSS) vulnerability in Next.js Image Optimization API affecting versions 10.0.0–11.0.0. Attack vector requires: (1) `images.domains` configured in next.config.js, (2) domain permitting user-supplied SVG uploads/references, and (3) default image loader in use (not custom loader or Vercel deployment). SVG payload embedded in image parameters bypasses sanitization, enabling arbitrary script execution in victim browsers.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →