Will It Vibe logoWill It Vibe?
NEXT-005Medium severity-8 points

next/image dangerouslyAllowSVG enabled

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

images.dangerouslyAllowSVG lets the image optimizer serve SVG files, which can carry embedded scripts. Without a strict content-security-policy this is a stored XSS vector for user-supplied images.

Why it matters

images.dangerouslyAllowSVG lets the next/image optimizer serve SVG files. SVGs can embed <script> and event handlers, so if any optimized image can be user-supplied this becomes a stored cross-site scripting vector. The option name includes "dangerously" for exactly this reason.

How to fix it

Remove dangerouslyAllowSVG unless you fully control every SVG source. If you must serve SVG through the optimizer, pair it with a strict contentSecurityPolicy in the images config (for example "default-src 'self'; script-src 'none'; sandbox") so embedded scripts cannot run.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks