CVE-2022-36046

2022-08-3119:15:08

CWE-754

CWE-248

[email protected]

web.nvd.nist.gov

next.js

react framework

web applications

cve-2022-36046

node.js

unhandledrejection

vercel

custom server

security advisory

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

5.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.9%

JSON

Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict unhandledRejection exiting AND using next start or a custom server. Deployments on Vercel (vercel.com) are not affected along with similar environments where next-server isn’t being shared across requests.

Affected configurations

Vulners

NVD

Node

vercelnext.jsMatch12.2.3

VendorProductVersionCPE
vercelnext\.js12.2.3cpe:2.3:a:vercel:next\.js:12.2.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vercel	next\.js	12.2.3	cpe:2.3:a:vercel:next\.js:12.2.3:::::::*

CNA Affected

[
  {
    "product": "next.js",
    "vendor": "vercel",
    "versions": [
      {
        "status": "affected",
        "version": "= 12.2.3"
      }
    ]
  }
]