CVE-2022-23646
User Interface (UI) Misrepresentation of Critical Information vulnerability in next (npm)
What is CVE-2022-23646 About?
Next.js versions 10.0.0 through 12.0.10 are vulnerable to User Interface (UI) Misrepresentation if `images.domains` is assigned in `next.config.js` and the image host allows user-provided SVGs. This can lead to visual spoofing or other client-side issues, with successful exploitation requiring specific configuration and user interaction.
Affected Software
Technical Details
The vulnerability in Next.js (versions 10.0.0 to 12.1.0 exclusive) arises under specific configuration conditions. If the next.config.js file defines an images.domains array and the host specified within this array permits the uploading and serving of user-provided SVG images, then UI misrepresentation can occur. An attacker could upload a malicious SVG designed to look like a trusted UI element or contain embedded scripts. When this SVG is loaded by the Next.js application, it could lead to visual spoofing, phishing attacks, or even client-side script execution, effectively misrepresenting critical information to the user. The images.loader configuration, if set to anything other than the default, prevents this issue.
What is the Impact of CVE-2022-23646?
Successful exploitation may allow attackers to misrepresent critical information to users, leading to phishing, visual spoofing, or potentially other client-side attacks.
What is the Exploitability of CVE-2022-23646?
Exploitation requires a very specific setup: Next.js within the vulnerable version range, the images.domains array configured in next.config.js, and crucially, the image host specified in images.domains must permit and serve user-provided SVGs. No direct authentication to Next.js itself is needed for the final misrepresentation, but the attacker would need a way to upload or control content on the trusted image host. Privilege requirements are low on the Next.js side, but high on the image host if an attacker needs to compromise it. This is a remote vulnerability, relying on specific application configurations and external services. The complexity is moderate due to the configuration prerequisites, but once met, an attacker familiar with SVG-based attacks could craft effective payloads. The likelihood increases significantly if the application allows unvalidated SVG uploads to a configured image domain without proper content-type checks or sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23646?
Available Upgrade Options
- next
- >10.0.0, <12.1.0 → Upgrade to 12.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/vercel/next.js/pull/34075
- https://osv.dev/vulnerability/GHSA-fmvm-x8mv-47mj
- https://github.com/vercel/next.js/releases/tag/v12.1.0
- https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj
- https://github.com/vercel/next.js/releases/tag/v12.1.0
- https://nvd.nist.gov/vuln/detail/CVE-2022-23646
- https://github.com/vercel/next.js/pull/34075
- https://github.com/vercel/next.js
- https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj
What are Similar Vulnerabilities to CVE-2022-23646?
Similar Vulnerabilities: CVE-2019-12290 , CVE-2015-0810 , CVE-2013-1765 , CVE-2009-0268 , CVE-2009-0269
