{"id":"GHSA-wr66-vrwm-5g5x","summary":"Denial of Service Vulnerability in next.js","details":"### Impact\n\nVulnerable code could allow a bad actor to trigger a denial of service attack for anyone running a Next.js app at version \u003e= 12.0.0, and using i18n functionality.\n\n- **Affected:** All of the following must be true to be affected by this CVE\n  - Next.js versions above v12.0.0\n  - Using next start or a custom server\n  - Using the built-in i18n support\n- **Not affected:**\n  - Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reaching Next.js.\n\n### Patches\n\nA patch has been released, `next@12.0.9`, that mitigates this issue. We recommend all affected users upgrade as soon as possible.\n\n### Workarounds\n\nWe recommend upgrading whether you can reproduce or not although you can ensure `/${locale}/_next/` is blocked from reaching the Next.js instance until you upgrade.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [next](https://github.com/vercel/next.js)\n* Email us at [security@vercel.com](mailto:security@vercel.com)\n","aliases":["CVE-2022-21721"],"modified":"2023-11-08T04:08:09.355091Z","published":"2022-01-28T23:09:22Z","related":["CVE-2022-21721"],"database_specific":{"nvd_published_at":"2022-01-28T22:15:00Z","severity":"MODERATE","cwe_ids":["CWE-20","CWE-400"],"github_reviewed":true,"github_reviewed_at":"2022-01-28T18:52:54Z"},"references":[{"type":"WEB","url":"https://github.com/vercel/next.js/security/advisories/GHSA-wr66-vrwm-5g5x"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21721"},{"type":"WEB","url":"https://github.com/vercel/next.js/pull/33503"},{"type":"PACKAGE","url":"https://github.com/vercel/next.js"},{"type":"WEB","url":"https://github.com/vercel/next.js/releases/tag/v12.0.9"}],"affected":[{"package":{"name":"next","ecosystem":"npm","purl":"pkg:npm/next"},"ranges":[{"type":"SEMVER","events":[{"introduced":"12.0.0"},{"fixed":"12.0.9"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wr66-vrwm-5g5x/GHSA-wr66-vrwm-5g5x.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}