Unexpected server crash in Next.js

GHSA-wff4-fpwg-qqv3 · CVE-2022-36046

Published Aug 30, 2022 · Modified Nov 8, 2023

Description

Impact

When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling.

Affected: All of the following must be true to be affected by this CVE
- Node.js version above v15.0.0 being used with strict unhandledRejection exiting
- Next.js version v12.2.3
- Using next start or a custom server
Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where next-server isn't being shared across requests.

Patches

https://github.com/vercel/next.js/releases/tag/v12.2.4

References

WEB https://github.com/vercel/next.js/security/advisories/GHSA-wff4-fpwg-qqv3
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-36046
WEB https://github.com/vercel/next.js/releases/tag/v12.2.4

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes