next/image dangerouslyAllowSVG enabled
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
images.dangerouslyAllowSVG lets the image optimizer serve SVG files, which can carry embedded scripts. Without a strict content-security-policy this is a stored XSS vector for user-supplied images.
Why it matters
images.dangerouslyAllowSVG lets the next/image optimizer serve SVG files. SVGs can embed <script> and event handlers, so if any optimized image can be user-supplied this becomes a stored cross-site scripting vector. The option name includes "dangerously" for exactly this reason.
How to fix it
Remove dangerouslyAllowSVG unless you fully control every SVG source. If you must serve SVG through the optimizer, pair it with a strict contentSecurityPolicy in the images config (for example "default-src 'self'; script-src 'none'; sandbox") so embedded scripts cannot run.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo