Lucene search

GitHub Advisory DatabaseGHSA-WFF4-FPWG-QQV3

HistoryAug 30, 2022 - 8:38 p.m.

Unexpected server crash in Next.js

2022-08-3020:38:34

CWE-248

CWE-754

GitHub Advisory Database

github.com

server crash

node.js

next.js

unhandledrejection

vercel

patch

cve.

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

32.8%

JSON

Impact

When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling.

Affected: All of the following must be true to be affected by this CVE
- Node.js version above v15.0.0 being used with strict unhandledRejection exiting
- Next.js version v12.2.3
- Using next start or a custom server
Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where next-server isn’t being shared across requests.

Patches

https://github.com/vercel/next.js/releases/tag/v12.2.4

Affected configurations

Vulners

Node

nextMatch12.2.3

VendorProductVersionCPE
*next12.2.3cpe:2.3:a:*:next:12.2.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
*	next	12.2.3	cpe:2.3:a::next:12.2.3:::::::

References

github.com/advisories/GHSA-wff4-fpwg-qqv3

github.com/vercel/next.js/releases/tag/v12.2.4

github.com/vercel/next.js/security/advisories/GHSA-wff4-fpwg-qqv3

nvd.nist.gov/vuln/detail/CVE-2022-36046

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

32.8%

JSON

Related for GHSA-WFF4-FPWG-QQV3