GHSA-9gr3-7897-pp7m
GitHub Security Advisory
XSS in Image Optimization API for Next.js
Advisory Details
### Impact
- **Affected:** All of the following must be true to be affected
- Next.js between version 10.0.0 and 11.1.0
- The `next.config.js` file has [`images.domains`](https://nextjs.org/docs/basic-features/image-optimization#domains) array assigned
- The image host assigned in [`images.domains`](https://nextjs.org/docs/basic-features/image-optimization#domains) allows user-provided SVG
- **Not affected**: The `next.config.js` file has [`images.loader`](https://nextjs.org/docs/basic-features/image-optimization#loader) assigned to something other than default
- **Not affected**: Deployments on [Vercel](https://vercel.com) are not affected
### Patches
[Next.js v11.1.1](https://github.com/vercel/next.js/releases/tag/v11.1.1)
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.