CVE-2022-23646

Name of the Vulnerable Software and Affected Versions Next.js versions 10.0.0 through 12.1.0

Description Next.js is a React framework vulnerable to User Interface (UI) Misrepresentation of Critical Information. To be affected, the next.config.js file must have an images.domains array assigned, and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected.

Recommendations For Next.js versions 10.0.0 through 12.0.10, update to version 12.1.0 to resolve the issue. As a temporary workaround for versions 10.0.0 through 12.0.10, change next.config.js to use a different loader configuration other than the default, for example, by setting images.loader to 'imgix' or 'custom'.