Vulnerabilities > CVE-2022-23646 - User Interface (UI) Misrepresentation of Critical Information vulnerability in Vercel Next.Js

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

vercel

CWE-451

NVD

Published: 2022-02-17

Updated: 2022-02-25

Summary

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.

Vulnerable Configurations

Part	Description	Count
Application	Vercel Vercel Next.Js 10.0.0 Vercel Next.Js 10.0.1 Vercel Next.Js 10.0.2 Vercel Next.Js 10.0.3 Vercel Next.Js 10.0.4 Vercel Next.Js 10.0.5 Vercel Next.Js 10.0.6 Vercel Next.Js 10.0.7 Vercel Next.Js 10.0.8 Vercel Next.Js 10.0.9 Vercel Next.Js 10.0.10 Vercel Next.Js 10.1.0 Vercel Next.Js 10.1.1 Vercel Next.Js 10.1.2 Vercel Next.Js 10.1.3 Vercel Next.Js 10.1.4 Vercel Next.Js 10.2.0 Vercel Next.Js 10.2.1 Vercel Next.Js 10.2.2 Vercel Next.Js 10.2.3 Vercel Next.Js 10.2.4 Vercel Next.Js 11.0.0 Vercel Next.Js 11.0.1 Vercel Next.Js 11.0.2 Vercel Next.Js 11.1.0 Vercel Next.Js 11.1.1	257

Common Weakness Enumeration (CWE)

CWE-451 - User Interface (UI) Misrepresentation of Critical Information

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References