VYPR
Moderate severityNVD Advisory· Published Jan 28, 2022· Updated May 5, 2025

DOS Vulnerability in next.js

CVE-2022-21721

Description

Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected. A patch has been released, next@12.0.9, that mitigates this issue. As a workaround, one may ensure /${locale}/_next/ is blocked from reaching the Next.js instance until it becomes feasible to upgrade.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nextnpm
>= 12.0.0, < 12.0.912.0.9

Affected products

2
  • Next.js/Next.jsdescription
  • ghsa-coords
    Range: >= 12.0.0, < 12.0.9

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.