CVE-2022-21721: DOS Vulnerability in next.js

First published: Fri Jan 28 2022(Updated: )

### Impact Vulnerable code could allow a bad actor to trigger a denial of service attack for anyone running a Next.js app at version >= 12.0.0, and using i18n functionality. - **Affected:** All of the following must be true to be affected by this CVE - Next.js versions above v12.0.0 - Using next start or a custom server - Using the built-in i18n support - **Not affected:** - Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reaching Next.js. ### Patches A patch has been released, `next@12.0.9`, that mitigates this issue. We recommend all affected users upgrade as soon as possible. ### Workarounds We recommend upgrading whether you can reproduce or not although you can ensure `/${locale}/_next/` is blocked from reaching the Next.js instance until you upgrade. ### For more information If you have any questions or comments about this advisory: * Open an issue in [next](https://github.com/vercel/next.js) * Email us at [security@vercel.com](mailto:security@vercel.com)

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-api
• collector/nvd-index
• collector/github-advisory-latest
• alias/GHSA-wr66-vrwm-5g5x
• alias/CVE-2022-21721
• collector/nvd-cve
• collector/github-advisory
• agent/type
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• agent/severity
• agent/author
• agent/last-modified-date
• agent/remedy
• agent/references
• agent/weakness
• agent/title
• agent/tags
• agent/description
• agent/first-publish-date
• agent/event
• vendor/vercel
• canonical/vercel next.js
• version/vercel next.js/12.0.0
• package-manager/npm