CVE-2022-23646

Improper CSP in Image Optimization API for Next.js

CVSS 5.9 MEDIUMEPSS 1.8%CWE-451

In short

Next.js versions 10.0.0 to 12.0.x have a weakness in their image optimization feature that allows attackers to bypass security protections (CSP) when SVG images are used. This could let malicious code execute in users' browsers if an image domain accepts user-uploaded SVGs.

Technical detail

A Content Security Policy (CSP) bypass exists in Next.js Image Optimization API when `images.domains` is configured with hosts that permit user-supplied SVG uploads and the default image loader is used. An attacker can craft malicious SVG content that circumvents CSP restrictions, potentially leading to cross-site scripting (XSS) attacks. Mitigation requires upgrading to version 12.1.0 or configuring a non-default `loader` in `next.config.js`.

Summary generated and translated by AI from the official description.

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

vercel · next.js

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vercel/next.js/pull/34075 https://github.com/vercel/next.js/releases/tag/v12.1.0 https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj