{"id":"CVE-2022-23646","summary":"Improper CSP in Image Optimization API for Next.js","details":"Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.","aliases":["GHSA-fmvm-x8mv-47mj"],"modified":"2026-04-17T04:21:16.751622Z","published":"2022-02-17T20:35:12Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23646.json","cwe_ids":["CWE-451"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/vercel/next.js/releases/tag/v12.1.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23646.json"},{"type":"ADVISORY","url":"https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23646"},{"type":"FIX","url":"https://github.com/vercel/next.js/pull/34075"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vercel/next.js","events":[{"introduced":"118ab7992bc8f7a7e5a7bb996510d9b56ffe4f68"},{"fixed":"8545fd1bb02244ced9e8dc9584a764aeae296cd0"}],"database_specific":{"cpe":"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"10.0.0"},{"fixed":"12.1.0"}],"source":["CPE_FIELD","REFERENCES"]}}],"versions":["v10.0.0","v10.0.1","v10.0.1-canary.0","v10.0.1-canary.1","v10.0.1-canary.2","v10.0.1-canary.3","v10.0.1-canary.4","v10.0.1-canary.5","v10.0.1-canary.6","v10.0.1-canary.7","v10.0.10-canary.0","v10.0.10-canary.1","v10.0.10-canary.10","v10.0.10-canary.11","v10.0.10-canary.12","v10.0.10-canary.13","v10.0.10-canary.14","v10.0.10-canary.2","v10.0.10-canary.3","v10.0.10-canary.4","v10.0.10-canary.5","v10.0.10-canary.6","v10.0.10-canary.7","v10.0.10-canary.8","v10.0.10-canary.9","v10.0.2","v10.0.2-canary.0","v10.0.2-canary.1","v10.0.2-canary.10","v10.0.2-canary.11","v10.0.2-canary.12","v10.0.2-canary.13","v10.0.2-canary.14","v10.0.2-canary.15","v10.0.2-canary.16","v10.0.2-canary.17","v10.0.2-canary.18","v10.0.2-canary.19","v10.0.2-canary.2","v10.0.2-canary.20","v10.0.2-canary.3","v10.0.2-canary.4","v10.0.2-canary.5","v10.0.2-canary.6","v10.0.2-canary.7","v10.0.2-canary.8","v10.0.2-canary.9","v10.0.3","v10.0.3-canary.0","v10.0.3-canary.1","v10.0.3-canary.2","v10.0.3-canary.3","v10.0.4","v10.0.4-canary.0","v10.0.4-canary.1","v10.0.4-canary.10","v10.0.4-canary.2","v10.0.4-canary.3","v10.0.4-canary.4","v10.0.4-canary.5","v10.0.4-canary.6","v10.0.4-canary.7","v10.0.4-canary.8","v10.0.4-canary.9","v10.0.5","v10.0.5-canary.0","v10.0.5-canary.1","v10.0.5-canary.10","v10.0.5-canary.11","v10.0.5-canary.12","v10.0.5-canary.2","v10.0.5-canary.3","v10.0.5-canary.4","v10.0.5-canary.5","v10.0.5-canary.6","v10.0.5-canary.7","v10.0.5-canary.8","v10.0.5-canary.9","v10.0.6","v10.0.6-canary.0","v10.0.6-canary.1","v10.0.6-canary.10","v10.0.6-canary.11","v10.0.6-canary.12","v10.0.6-canary.2","v10.0.6-canary.3","v10.0.6-canary.4","v10.0.6-canary.5","v10.0.6-canary.6","v10.0.6-canary.7","v10.0.6-canary.8","v10.0.6-canary.9","v10.0.7","v10.0.7-canary.0","v10.0.7-canary.1","v10.0.7-canary.2","v10.0.7-canary.3","v10.0.7-canary.4","v10.0.7-canary.5","v10.0.7-canary.6","v10.0.7-canary.7","v10.0.7-canary.8","v10.0.8","v10.0.8-canary.0","v10.0.8-canary.1","v10.0.8-canary.10","v10.0.8-canary.11","v10.0.8-canary.12","v10.0.8-canary.13","v10.0.8-canary.14","v10.0.8-canary.15","v10.0.8-canary.16","v10.0.8-canary.17","v10.0.8-canary.2","v10.0.8-canary.3","v10.0.8-canary.4","v10.0.8-canary.5","v10.0.8-canary.6","v10.0.8-canary.7","v10.0.8-canary.8","v10.0.8-canary.9","v10.0.9","v10.0.9-canary.0","v10.0.9-canary.1","v10.0.9-canary.2","v10.0.9-canary.3","v10.0.9-canary.4","v10.0.9-canary.5","v10.0.9-canary.6","v10.0.9-canary.7","v10.0.9-canary.8","v10.1.0","v10.1.1","v10.1.1-canary.0","v10.1.2","v10.1.2-canary.0","v10.1.3","v10.1.3-canary.0","v10.1.3-canary.1","v10.1.3-canary.2","v10.1.4-canary.0","v10.1.4-canary.1","v10.1.4-canary.10","v10.1.4-canary.11","v10.1.4-canary.12","v10.1.4-canary.13","v10.1.4-canary.14","v10.1.4-canary.15","v10.1.4-canary.16","v10.1.4-canary.17","v10.1.4-canary.18","v10.1.4-canary.2","v10.1.4-canary.3","v10.1.4-canary.4","v10.1.4-canary.5","v10.1.4-canary.6","v10.1.4-canary.7","v10.1.4-canary.8","v10.1.4-canary.9","v10.2.0","v10.2.1","v10.2.1-canary.0","v10.2.1-canary.1","v10.2.1-canary.10","v10.2.1-canary.11","v10.2.1-canary.12","v10.2.1-canary.2","v10.2.1-canary.3","v10.2.1-canary.4","v10.2.1-canary.5","v10.2.1-canary.6","v10.2.1-canary.7","v10.2.1-canary.8","v10.2.1-canary.9","v10.2.2","v10.2.2-canary.0","v10.2.2-canary.1","v10.2.3","v10.2.3-canary.0","v10.2.3-canary.1","v10.2.4-canary.0","v10.2.4-canary.1","v10.2.4-canary.10","v10.2.4-canary.11","v10.2.4-canary.12","v10.2.4-canary.13","v10.2.4-canary.14","v10.2.4-canary.15","v10.2.4-canary.16","v10.2.4-canary.17","v10.2.4-canary.18","v10.2.4-canary.19","v10.2.4-canary.2","v10.2.4-canary.3","v10.2.4-canary.4","v10.2.4-canary.5","v10.2.4-canary.6","v10.2.4-canary.7","v10.2.4-canary.8","v10.2.4-canary.9","v11.0.0","v11.0.1","v11.0.1-canary.0","v11.0.1-canary.1","v11.0.1-canary.2","v11.0.1-canary.3","v11.0.1-canary.4","v11.0.1-canary.5","v11.0.1-canary.6","v11.0.1-canary.7","v11.0.1-canary.8","v11.0.2-canary.0","v11.0.2-canary.1","v11.0.2-canary.10","v11.0.2-canary.11","v11.0.2-canary.12","v11.0.2-canary.13","v11.0.2-canary.14","v11.0.2-canary.15","v11.0.2-canary.16","v11.0.2-canary.17","v11.0.2-canary.18","v11.0.2-canary.19","v11.0.2-canary.2","v11.0.2-canary.20","v11.0.2-canary.21","v11.0.2-canary.22","v11.0.2-canary.23","v11.0.2-canary.24","v11.0.2-canary.25","v11.0.2-canary.26","v11.0.2-canary.27","v11.0.2-canary.28","v11.0.2-canary.29","v11.0.2-canary.3","v11.0.2-canary.30","v11.0.2-canary.31","v11.0.2-canary.4","v11.0.2-canary.5","v11.0.2-canary.6","v11.0.2-canary.7","v11.0.2-canary.8","v11.0.2-canary.9","v11.1.0","v11.1.1","v11.1.1-canary.0","v11.1.1-canary.1","v11.1.1-canary.10","v11.1.1-canary.11","v11.1.1-canary.12","v11.1.1-canary.13","v11.1.1-canary.14","v11.1.1-canary.15","v11.1.1-canary.16","v11.1.1-canary.17","v11.1.1-canary.18","v11.1.1-canary.19","v11.1.1-canary.2","v11.1.1-canary.3","v11.1.1-canary.4","v11.1.1-canary.5","v11.1.1-canary.6","v11.1.1-canary.7","v11.1.1-canary.8","v11.1.1-canary.9","v11.1.2","v11.1.2-canary.0","v11.1.3-canary.0","v11.1.3-canary.1","v11.1.3-canary.10","v11.1.3-canary.100","v11.1.3-canary.101","v11.1.3-canary.102","v11.1.3-canary.103","v11.1.3-canary.104","v11.1.3-canary.105","v11.1.3-canary.11","v11.1.3-canary.12","v11.1.3-canary.13","v11.1.3-canary.14","v11.1.3-canary.15","v11.1.3-canary.16","v11.1.3-canary.17","v11.1.3-canary.18","v11.1.3-canary.19","v11.1.3-canary.2","v11.1.3-canary.20","v11.1.3-canary.21","v11.1.3-canary.22","v11.1.3-canary.23","v11.1.3-canary.24","v11.1.3-canary.25","v11.1.3-canary.26","v11.1.3-canary.27","v11.1.3-canary.28","v11.1.3-canary.29","v11.1.3-canary.3","v11.1.3-canary.30","v11.1.3-canary.31","v11.1.3-canary.32","v11.1.3-canary.33","v11.1.3-canary.34","v11.1.3-canary.35","v11.1.3-canary.36","v11.1.3-canary.37","v11.1.3-canary.38","v11.1.3-canary.39","v11.1.3-canary.4","v11.1.3-canary.40","v11.1.3-canary.41","v11.1.3-canary.42","v11.1.3-canary.43","v11.1.3-canary.44","v11.1.3-canary.45","v11.1.3-canary.46","v11.1.3-canary.47","v11.1.3-canary.48","v11.1.3-canary.49","v11.1.3-canary.5","v11.1.3-canary.50","v11.1.3-canary.51","v11.1.3-canary.52","v11.1.3-canary.53","v11.1.3-canary.54","v11.1.3-canary.55","v11.1.3-canary.56","v11.1.3-canary.57","v11.1.3-canary.58","v11.1.3-canary.59","v11.1.3-canary.6","v11.1.3-canary.60","v11.1.3-canary.61","v11.1.3-canary.62","v11.1.3-canary.63","v11.1.3-canary.64","v11.1.3-canary.65","v11.1.3-canary.66","v11.1.3-canary.67","v11.1.3-canary.68","v11.1.3-canary.69","v11.1.3-canary.7","v11.1.3-canary.70","v11.1.3-canary.71","v11.1.3-canary.72","v11.1.3-canary.73","v11.1.3-canary.74","v11.1.3-canary.75","v11.1.3-canary.76","v11.1.3-canary.77","v11.1.3-canary.78","v11.1.3-canary.79","v11.1.3-canary.8","v11.1.3-canary.80","v11.1.3-canary.81","v11.1.3-canary.82","v11.1.3-canary.83","v11.1.3-canary.84","v11.1.3-canary.85","v11.1.3-canary.86","v11.1.3-canary.87","v11.1.3-canary.88","v11.1.3-canary.89","v11.1.3-canary.9","v11.1.3-canary.90","v11.1.3-canary.91","v11.1.3-canary.92","v11.1.3-canary.93","v11.1.3-canary.94","v11.1.3-canary.95","v11.1.3-canary.96","v11.1.3-canary.97","v11.1.3-canary.98","v11.1.3-canary.99","v12.0.0","v12.0.1","v12.0.1-canary.0","v12.0.1-canary.1","v12.0.1-canary.2","v12.0.1-canary.3","v12.0.1-canary.4","v12.0.1-canary.5","v12.0.10","v12.0.10-canary.0","v12.0.10-canary.1","v12.0.10-canary.2","v12.0.11-canary.0","v12.0.11-canary.1","v12.0.11-canary.10","v12.0.11-canary.11","v12.0.11-canary.12","v12.0.11-canary.13","v12.0.11-canary.14","v12.0.11-canary.15","v12.0.11-canary.16","v12.0.11-canary.17","v12.0.11-canary.18","v12.0.11-canary.19","v12.0.11-canary.2","v12.0.11-canary.20","v12.0.11-canary.21","v12.0.11-canary.3","v12.0.11-canary.4","v12.0.11-canary.5","v12.0.11-canary.6","v12.0.11-canary.7","v12.0.11-canary.8","v12.0.11-canary.9","v12.0.2","v12.0.2-canary.0","v12.0.2-canary.1","v12.0.2-canary.10","v12.0.2-canary.11","v12.0.2-canary.12","v12.0.2-canary.13","v12.0.2-canary.14","v12.0.2-canary.2","v12.0.2-canary.3","v12.0.2-canary.4","v12.0.2-canary.5","v12.0.2-canary.6","v12.0.2-canary.7","v12.0.2-canary.8","v12.0.2-canary.9","v12.0.3","v12.0.3-canary.0","v12.0.3-canary.1","v12.0.3-canary.10","v12.0.3-canary.2","v12.0.3-canary.3","v12.0.3-canary.4","v12.0.3-canary.5","v12.0.3-canary.6","v12.0.3-canary.7","v12.0.3-canary.8","v12.0.3-canary.9","v12.0.4","v12.0.4-canary.0","v12.0.4-canary.1","v12.0.4-canary.10","v12.0.4-canary.11","v12.0.4-canary.12","v12.0.4-canary.13","v12.0.4-canary.14","v12.0.4-canary.15","v12.0.4-canary.2","v12.0.4-canary.3","v12.0.4-canary.4","v12.0.4-canary.5","v12.0.4-canary.6","v12.0.4-canary.8","v12.0.4-canary.9","v12.0.5","v12.0.5-canary.0","v12.0.5-canary.1","v12.0.5-canary.10","v12.0.5-canary.11","v12.0.5-canary.12","v12.0.5-canary.13","v12.0.5-canary.14","v12.0.5-canary.16","v12.0.5-canary.18","v12.0.5-canary.19","v12.0.5-canary.2","v12.0.5-canary.3","v12.0.5-canary.4","v12.0.5-canary.5","v12.0.5-canary.6","v12.0.5-canary.7","v12.0.5-canary.8","v12.0.5-canary.9","v12.0.6","v12.0.6-canary.0","v12.0.7","v12.0.7-canary.0","v12.0.8","v12.0.8-canary.0","v12.0.8-canary.1","v12.0.8-canary.10","v12.0.8-canary.11","v12.0.8-canary.12","v12.0.8-canary.13","v12.0.8-canary.14","v12.0.8-canary.15","v12.0.8-canary.16","v12.0.8-canary.17","v12.0.8-canary.18","v12.0.8-canary.19","v12.0.8-canary.2","v12.0.8-canary.20","v12.0.8-canary.21","v12.0.8-canary.22","v12.0.8-canary.3","v12.0.8-canary.4","v12.0.8-canary.5","v12.0.8-canary.6","v12.0.8-canary.7","v12.0.8-canary.8","v12.0.8-canary.9","v12.0.9","v12.0.9-canary.0","v12.0.9-canary.1","v12.0.9-canary.10","v12.0.9-canary.11","v12.0.9-canary.12","v12.0.9-canary.2","v12.0.9-canary.3","v12.0.9-canary.4","v12.0.9-canary.5","v12.0.9-canary.6","v12.0.9-canary.7","v12.0.9-canary.8","v12.0.9-canary.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23646.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}