ghsa-wff4-fpwg-qqv3
Vulnerability from github
Published
2022-08-30 20:38
Modified
2022-09-08 14:17
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Unexpected server crash in Next.js
Details

Impact

When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling.

  • Affected: All of the following must be true to be affected by this CVE
  • Node.js version above v15.0.0 being used with strict unhandledRejection exiting
  • Next.js version v12.2.3

  • Using next start or a custom server

  • Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where next-server isn't being shared across requests.

Patches

https://github.com/vercel/next.js/releases/tag/v12.2.4

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.2.3"
            },
            {
              "fixed": "12.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "12.2.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-30T20:38:34Z",
    "nvd_published_at": "2022-08-31T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen specific requests are made to the Next.js server it can cause an `unhandledRejection` in the server which can crash the process to exit in specific Node.js versions with strict `unhandledRejection` handling. \n\n- Affected: All of the following must be true to be affected by this CVE\n  - Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting\n  - Next.js version v12.2.3\n  - Using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-server)\n \n- Not affected: Deployments on Vercel ([vercel.com](https://vercel.com/)) are not affected along with similar environments where `next-server` isn\u0027t being shared across requests.\n\n### Patches\nhttps://github.com/vercel/next.js/releases/tag/v12.2.4\n",
  "id": "GHSA-wff4-fpwg-qqv3",
  "modified": "2022-09-08T14:17:38Z",
  "published": "2022-08-30T20:38:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-wff4-fpwg-qqv3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36046"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v12.2.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unexpected server crash in Next.js"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.