CVE-2022-23646

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-23646

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23646.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-23646

Aliases

GHSA-fmvm-x8mv-47mj

Published

2022-02-17T20:35:12Z

Modified

2026-04-13T04:19:56.421790Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Improper CSP in Image Optimization API for Next.js

Details

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Database specific

{
    "cwe_ids": [
        "CWE-451"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23646.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/vercel/next.js

Affected ranges

Type

GIT

Repo

https://github.com/vercel/next.js

Events

Introduced

118ab7992bc8f7a7e5a7bb996510d9b56ffe4f68

Fixed

8545fd1bb02244ced9e8dc9584a764aeae296cd0

Database specific

{
    "source": [
        "CPE_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "12.1.0"
        }
    ],
    "cpe": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*"
}

Affected versions

v10.*

v10.0.0

v10.0.1

v10.0.1-canary.0

v10.0.1-canary.1

v10.0.1-canary.2

v10.0.1-canary.3

v10.0.1-canary.4

v10.0.1-canary.5

v10.0.1-canary.6

v10.0.1-canary.7

v10.0.10-canary.0

v10.0.10-canary.1

v10.0.10-canary.10

v10.0.10-canary.11

v10.0.10-canary.12

v10.0.10-canary.13

v10.0.10-canary.14

v10.0.10-canary.2

v10.0.10-canary.3

v10.0.10-canary.4

v10.0.10-canary.5

v10.0.10-canary.6

v10.0.10-canary.7

v10.0.10-canary.8

v10.0.10-canary.9

v10.0.2

v10.0.2-canary.0

v10.0.2-canary.1

v10.0.2-canary.10

v10.0.2-canary.11

v10.0.2-canary.12

v10.0.2-canary.13

v10.0.2-canary.14

v10.0.2-canary.15

v10.0.2-canary.16

v10.0.2-canary.17

v10.0.2-canary.18

v10.0.2-canary.19

v10.0.2-canary.2

v10.0.2-canary.20

v10.0.2-canary.3

v10.0.2-canary.4

v10.0.2-canary.5

v10.0.2-canary.6

v10.0.2-canary.7

v10.0.2-canary.8

v10.0.2-canary.9

v10.0.3

v10.0.3-canary.0

v10.0.3-canary.1

v10.0.3-canary.2

v10.0.3-canary.3

v10.0.4

v10.0.4-canary.0

v10.0.4-canary.1

v10.0.4-canary.10

v10.0.4-canary.2

v10.0.4-canary.3

v10.0.4-canary.4

v10.0.4-canary.5

v10.0.4-canary.6

v10.0.4-canary.7

v10.0.4-canary.8

v10.0.4-canary.9

v10.0.5

v10.0.5-canary.0

v10.0.5-canary.1

v10.0.5-canary.10

v10.0.5-canary.11

v10.0.5-canary.12

v10.0.5-canary.2

v10.0.5-canary.3

v10.0.5-canary.4

v10.0.5-canary.5

v10.0.5-canary.6

v10.0.5-canary.7

v10.0.5-canary.8

v10.0.5-canary.9

v10.0.6

v10.0.6-canary.0

v10.0.6-canary.1

v10.0.6-canary.10

v10.0.6-canary.11

v10.0.6-canary.12

v10.0.6-canary.2

v10.0.6-canary.3

v10.0.6-canary.4

v10.0.6-canary.5

v10.0.6-canary.6

v10.0.6-canary.7

v10.0.6-canary.8

v10.0.6-canary.9

v10.0.7

v10.0.7-canary.0

v10.0.7-canary.1

v10.0.7-canary.2

v10.0.7-canary.3

v10.0.7-canary.4

v10.0.7-canary.5

v10.0.7-canary.6

v10.0.7-canary.7

v10.0.7-canary.8

v10.0.8

v10.0.8-canary.0

v10.0.8-canary.1

v10.0.8-canary.10

v10.0.8-canary.11

v10.0.8-canary.12

v10.0.8-canary.13

v10.0.8-canary.14

v10.0.8-canary.15

v10.0.8-canary.16

v10.0.8-canary.17

v10.0.8-canary.2

v10.0.8-canary.3

v10.0.8-canary.4

v10.0.8-canary.5

v10.0.8-canary.6

v10.0.8-canary.7

v10.0.8-canary.8

v10.0.8-canary.9

v10.0.9

v10.0.9-canary.0

v10.0.9-canary.1

v10.0.9-canary.2

v10.0.9-canary.3

v10.0.9-canary.4

v10.0.9-canary.5

v10.0.9-canary.6

v10.0.9-canary.7

v10.0.9-canary.8

v10.1.0

v10.1.1

v10.1.1-canary.0

v10.1.2

v10.1.2-canary.0

v10.1.3

v10.1.3-canary.0

v10.1.3-canary.1

v10.1.3-canary.2

v10.1.4-canary.0

v10.1.4-canary.1

v10.1.4-canary.10

v10.1.4-canary.11

v10.1.4-canary.12

v10.1.4-canary.13

v10.1.4-canary.14

v10.1.4-canary.15

v10.1.4-canary.16

v10.1.4-canary.17

v10.1.4-canary.18

v10.1.4-canary.2

v10.1.4-canary.3

v10.1.4-canary.4

v10.1.4-canary.5

v10.1.4-canary.6

v10.1.4-canary.7

v10.1.4-canary.8

v10.1.4-canary.9

v10.2.0

v10.2.1

v10.2.1-canary.0

v10.2.1-canary.1

v10.2.1-canary.10

v10.2.1-canary.11

v10.2.1-canary.12

v10.2.1-canary.2

v10.2.1-canary.3

v10.2.1-canary.4

v10.2.1-canary.5

v10.2.1-canary.6

v10.2.1-canary.7

v10.2.1-canary.8

v10.2.1-canary.9

v10.2.2

v10.2.2-canary.0

v10.2.2-canary.1

v10.2.3

v10.2.3-canary.0

v10.2.3-canary.1

v10.2.4-canary.0

v10.2.4-canary.1

v10.2.4-canary.10

v10.2.4-canary.11

v10.2.4-canary.12

v10.2.4-canary.13

v10.2.4-canary.14

v10.2.4-canary.15

v10.2.4-canary.16

v10.2.4-canary.17

v10.2.4-canary.18

v10.2.4-canary.19

v10.2.4-canary.2

v10.2.4-canary.3

v10.2.4-canary.4

v10.2.4-canary.5

v10.2.4-canary.6

v10.2.4-canary.7

v10.2.4-canary.8

v10.2.4-canary.9

v11.*

v11.0.0

v11.0.1

v11.0.1-canary.0

v11.0.1-canary.1

v11.0.1-canary.2

v11.0.1-canary.3

v11.0.1-canary.4

v11.0.1-canary.5

v11.0.1-canary.6

v11.0.1-canary.7

v11.0.1-canary.8

v11.0.2-canary.0

v11.0.2-canary.1

v11.0.2-canary.10

v11.0.2-canary.11

v11.0.2-canary.12

v11.0.2-canary.13

v11.0.2-canary.14

v11.0.2-canary.15

v11.0.2-canary.16

v11.0.2-canary.17

v11.0.2-canary.18

v11.0.2-canary.19

v11.0.2-canary.2

v11.0.2-canary.20

v11.0.2-canary.21

v11.0.2-canary.22

v11.0.2-canary.23

v11.0.2-canary.24

v11.0.2-canary.25

v11.0.2-canary.26

v11.0.2-canary.27

v11.0.2-canary.28

v11.0.2-canary.29

v11.0.2-canary.3

v11.0.2-canary.30

v11.0.2-canary.31

v11.0.2-canary.4

v11.0.2-canary.5

v11.0.2-canary.6

v11.0.2-canary.7

v11.0.2-canary.8

v11.0.2-canary.9

v11.1.0

v11.1.1

v11.1.1-canary.0

v11.1.1-canary.1

v11.1.1-canary.10

v11.1.1-canary.11

v11.1.1-canary.12

v11.1.1-canary.13

v11.1.1-canary.14

v11.1.1-canary.15

v11.1.1-canary.16

v11.1.1-canary.17

v11.1.1-canary.18

v11.1.1-canary.19

v11.1.1-canary.2

v11.1.1-canary.3

v11.1.1-canary.4

v11.1.1-canary.5

v11.1.1-canary.6

v11.1.1-canary.7

v11.1.1-canary.8

v11.1.1-canary.9

v11.1.2

v11.1.2-canary.0

v11.1.3-canary.0

v11.1.3-canary.1

v11.1.3-canary.10

v11.1.3-canary.100

v11.1.3-canary.101

v11.1.3-canary.102

v11.1.3-canary.103

v11.1.3-canary.104

v11.1.3-canary.105

v11.1.3-canary.11

v11.1.3-canary.12

v11.1.3-canary.13

v11.1.3-canary.14

v11.1.3-canary.15

v11.1.3-canary.16

v11.1.3-canary.17

v11.1.3-canary.18

v11.1.3-canary.19

v11.1.3-canary.2

v11.1.3-canary.20

v11.1.3-canary.21

v11.1.3-canary.22

v11.1.3-canary.23

v11.1.3-canary.24

v11.1.3-canary.25

v11.1.3-canary.26

v11.1.3-canary.27

v11.1.3-canary.28

v11.1.3-canary.29

v11.1.3-canary.3

v11.1.3-canary.30

v11.1.3-canary.31

v11.1.3-canary.32

v11.1.3-canary.33

v11.1.3-canary.34

v11.1.3-canary.35

v11.1.3-canary.36

v11.1.3-canary.37

v11.1.3-canary.38

v11.1.3-canary.39

v11.1.3-canary.4

v11.1.3-canary.40

v11.1.3-canary.41

v11.1.3-canary.42

v11.1.3-canary.43

v11.1.3-canary.44

v11.1.3-canary.45

v11.1.3-canary.46

v11.1.3-canary.47

v11.1.3-canary.48

v11.1.3-canary.49

v11.1.3-canary.5

v11.1.3-canary.50

v11.1.3-canary.51

v11.1.3-canary.52

v11.1.3-canary.53

v11.1.3-canary.54

v11.1.3-canary.55

v11.1.3-canary.56

v11.1.3-canary.57

v11.1.3-canary.58

v11.1.3-canary.59

v11.1.3-canary.6

v11.1.3-canary.60

v11.1.3-canary.61

v11.1.3-canary.62

v11.1.3-canary.63

v11.1.3-canary.64

v11.1.3-canary.65

v11.1.3-canary.66

v11.1.3-canary.67

v11.1.3-canary.68

v11.1.3-canary.69

v11.1.3-canary.7

v11.1.3-canary.70

v11.1.3-canary.71

v11.1.3-canary.72

v11.1.3-canary.73

v11.1.3-canary.74

v11.1.3-canary.75

v11.1.3-canary.76

v11.1.3-canary.77

v11.1.3-canary.78

v11.1.3-canary.79

v11.1.3-canary.8

v11.1.3-canary.80

v11.1.3-canary.81

v11.1.3-canary.82

v11.1.3-canary.83

v11.1.3-canary.84

v11.1.3-canary.85

v11.1.3-canary.86

v11.1.3-canary.87

v11.1.3-canary.88

v11.1.3-canary.89

v11.1.3-canary.9

v11.1.3-canary.90

v11.1.3-canary.91

v11.1.3-canary.92

v11.1.3-canary.93

v11.1.3-canary.94

v11.1.3-canary.95

v11.1.3-canary.96

v11.1.3-canary.97

v11.1.3-canary.98

v11.1.3-canary.99

v12.*

v12.0.0

v12.0.1

v12.0.1-canary.0

v12.0.1-canary.1

v12.0.1-canary.2

v12.0.1-canary.3

v12.0.1-canary.4

v12.0.1-canary.5

v12.0.10

v12.0.10-canary.0

v12.0.10-canary.1

v12.0.10-canary.2

v12.0.11-canary.0

v12.0.11-canary.1

v12.0.11-canary.10

v12.0.11-canary.11

v12.0.11-canary.12

v12.0.11-canary.13

v12.0.11-canary.14

v12.0.11-canary.15

v12.0.11-canary.16

v12.0.11-canary.17

v12.0.11-canary.18

v12.0.11-canary.19

v12.0.11-canary.2

v12.0.11-canary.20

v12.0.11-canary.21

v12.0.11-canary.3

v12.0.11-canary.4

v12.0.11-canary.5

v12.0.11-canary.6

v12.0.11-canary.7

v12.0.11-canary.8

v12.0.11-canary.9

v12.0.2

v12.0.2-canary.0

v12.0.2-canary.1

v12.0.2-canary.10

v12.0.2-canary.11

v12.0.2-canary.12

v12.0.2-canary.13

v12.0.2-canary.14

v12.0.2-canary.2

v12.0.2-canary.3

v12.0.2-canary.4

v12.0.2-canary.5

v12.0.2-canary.6

v12.0.2-canary.7

v12.0.2-canary.8

v12.0.2-canary.9

v12.0.3

v12.0.3-canary.0

v12.0.3-canary.1

v12.0.3-canary.10

v12.0.3-canary.2

v12.0.3-canary.3

v12.0.3-canary.4

v12.0.3-canary.5

v12.0.3-canary.6

v12.0.3-canary.7

v12.0.3-canary.8

v12.0.3-canary.9

v12.0.4

v12.0.4-canary.0

v12.0.4-canary.1

v12.0.4-canary.10

v12.0.4-canary.11

v12.0.4-canary.12

v12.0.4-canary.13

v12.0.4-canary.14

v12.0.4-canary.15

v12.0.4-canary.2

v12.0.4-canary.3

v12.0.4-canary.4

v12.0.4-canary.5

v12.0.4-canary.6

v12.0.4-canary.8

v12.0.4-canary.9

v12.0.5

v12.0.5-canary.0

v12.0.5-canary.1

v12.0.5-canary.10

v12.0.5-canary.11

v12.0.5-canary.12

v12.0.5-canary.13

v12.0.5-canary.14

v12.0.5-canary.16

v12.0.5-canary.18

v12.0.5-canary.19

v12.0.5-canary.2

v12.0.5-canary.3

v12.0.5-canary.4

v12.0.5-canary.5

v12.0.5-canary.6

v12.0.5-canary.7

v12.0.5-canary.8

v12.0.5-canary.9

v12.0.6

v12.0.6-canary.0

v12.0.7

v12.0.7-canary.0

v12.0.8

v12.0.8-canary.0

v12.0.8-canary.1

v12.0.8-canary.10

v12.0.8-canary.11

v12.0.8-canary.12

v12.0.8-canary.13

v12.0.8-canary.14

v12.0.8-canary.15

v12.0.8-canary.16

v12.0.8-canary.17

v12.0.8-canary.18

v12.0.8-canary.19

v12.0.8-canary.2

v12.0.8-canary.20

v12.0.8-canary.21

v12.0.8-canary.22

v12.0.8-canary.3

v12.0.8-canary.4

v12.0.8-canary.5

v12.0.8-canary.6

v12.0.8-canary.7

v12.0.8-canary.8

v12.0.8-canary.9

v12.0.9

v12.0.9-canary.0

v12.0.9-canary.1

v12.0.9-canary.10

v12.0.9-canary.11

v12.0.9-canary.12

v12.0.9-canary.2

v12.0.9-canary.3

v12.0.9-canary.4

v12.0.9-canary.5

v12.0.9-canary.6

v12.0.9-canary.7

v12.0.9-canary.8

v12.0.9-canary.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23646.json"