CVE-2022-23646: User Interface (UI) Misrepresentation of Critical Information

February 17, 2022 (updated February 25, 2022)

Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. As a workaround, change next.config.js to use a different loader configuration other than the default.

References

github.com/advisories/GHSA-fmvm-x8mv-47mj
github.com/vercel/next.js/releases/tag/v12.1.0
github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj

Detect and mitigate CVE-2022-23646 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →