Skip to content

Add nextjs-images-wildcard-hostname security rule #3700

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mortezapiri wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Add nextjs-images-wildcard-hostname security rule #3700

mortezapiri wants to merge 1 commit into from

Conversation

@mortezapiri
Copy link

@mortezapiri mortezapiri commented Sep 28, 2025

Summary

Adds a security rule to detect overly permissive wildcard hostnames in Next.js images.remotePatterns configuration.

Security Issue

Using hostname: "**" in Next.js image configuration allows loading images from any domain, which can lead to:

  • Image injection attacks
  • Data exfiltration through image requests
  • Potential SSRF vulnerabilities

Solution

The rule detects wildcard hostname patterns and suggests using specific domains or more restrictive patterns.

Files Added

  • javascript/nextjs/security/nextjs-images-wildcard-hostname.yaml - Rule definition
  • javascript/nextjs/security/nextjs-images-wildcard-hostname.js - Test cases

Metadata

  • Category: security
  • CWE: CWE-200 (Exposure of Sensitive Information)
  • OWASP: A05:2021 (Security Misconfiguration)
  • Languages: javascript, typescript
  • Severity: ERROR

Test Coverage

  • 3 negative test cases (should trigger rule)
  • 7 positive test cases (should not trigger rule)

@CLAassistant
Copy link

CLAassistant commented Sep 28, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@mortezapiri
Add nextjs-images-wildcard-hostname security rule
8602a82 
- Detects overly permissive wildcard hostnames in Next.js images.remotePatterns
- Prevents image injection attacks and potential SSRF vulnerabilities
- Includes comprehensive test cases with positive and negative examples
- Follows security metadata standards (CWE-200, OWASP A05:2021)
- Targets javascript and typescript languages

Fixes: Security misconfiguration in Next.js image configuration
Category: security
Technology: nextjs
@mortezapiri mortezapiri force-pushed the add-nextjs-images-wildcard-hostname-rule branch from ee4d51c to 8602a82 Compare September 28, 2025 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mortezapiri @CLAassistant