GoogleOSV:GHSA-WFF4-FPWG-QQV3Unexpected server crash in Next.js
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
33.0%
Impact
When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling.
-
Affected: All of the following must be true to be affected by this CVE
- Node.js version above v15.0.0 being used with strict
unhandledRejectionexiting - Next.js version v12.2.3
- Using next start or a custom server
- Node.js version above v15.0.0 being used with strict
-
Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where
next-serverisnโt being shared across requests.
Patches
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
33.0%