CVE-2022-23646
- Source
- https://cve.org/CVERecord?id=CVE-2022-23646
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23646.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-23646
- Aliases
- Published
- 2022-02-17T20:35:12Z
- Modified
- 2025-12-04T10:16:58.209923Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Improper CSP in Image Optimization API for Next.js
- Details
-
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the
next.config.jsfile must have animages.domainsarray assigned and the image host assigned inimages.domainsmust allow user-provided SVG. If thenext.config.jsfile hasimages.loaderassigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, changenext.config.jsto use a differentloader configurationother than the default. - Database specific
{ "cwe_ids": [ "CWE-451" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23646.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23646.json
- https://github.com/vercel/next.js/pull/34075
- https://github.com/vercel/next.js/releases/tag/v12.1.0
- https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj
- https://nvd.nist.gov/vuln/detail/CVE-2022-23646