GHSA-wff4-fpwg-qqv3: Unexpected server crash in Next.js

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2022-36046

Unexpected server crash in Next.js

Moderate severity GitHub Reviewed Published Aug 30, 2022 in vercel/next.js

Vulnerability details Dependabot alerts 0

Package

npm next (npm)

Affected versions

= 12.2.3

Patched versions

12.2.4

Description

Impact

When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling.

• Affected: All of the following must be true to be affected by this CVE

  • Node.js version above v15.0.0 being used with strict unhandledRejection exiting
  • Next.js version v12.2.3
  • Using next start or a custom server

• Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where next-server isn’t being shared across requests.

Patches

https://github.com/vercel/next.js/releases/tag/v12.2.4

References

• GHSA-wff4-fpwg-qqv3
• https://github.com/vercel/next.js/releases/tag/v12.2.4

ijjk published the maintainer security advisory

Aug 24, 2022

Severity

Moderate

Weaknesses

CWE-248

CVE ID

CVE-2022-36046

GHSA ID

GHSA-wff4-fpwg-qqv3

Source code

No known source code

Checking history

See something to contribute? Suggest improvements for this vulnerability.