Headline
CVE-2022-36046: Unexpected server crash in Next.js version 12.2.3
Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict unhandledRejection exiting AND using next start or a custom server. Deployments on Vercel (vercel.com) are not affected along with similar environments where next-server isn’t being shared across requests.
Impact
When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling.
Affected: All of the following must be true to be affected by this CVE
- Node.js version above v15.0.0 being used with strict unhandledRejection exiting
- Next.js version v12.2.3
- Using next start or a custom server
Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where next-server isn’t being shared across requests.
Patches
https://github.com/vercel/next.js/releases/tag/v12.2.4
Related news
### Impact When specific requests are made to the Next.js server it can cause an `unhandledRejection` in the server which can crash the process to exit in specific Node.js versions with strict `unhandledRejection` handling. - Affected: All of the following must be true to be affected by this CVE - Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting - Next.js version v12.2.3 - Using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-server) - Not affected: Deployments on Vercel ([vercel.com](https://vercel.com/)) are not affected along with similar environments where `next-server` isn't being shared across requests. ### Patches https://github.com/vercel/next.js/releases/tag/v12.2.4