5.3

CVSS Score

Basic Information

CVE ID

CVE-2022-36046

GHSA ID

GHSA-wff4-fpwg-qqv3

EPSS Score

CWE

CWE-248

Published

8/30/2022

Updated

1/29/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36046

CVE-2022-36046:
Unexpected server crash in Next.js

Impact

When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling.

Affected: All of the following must be true to be affected by this CVE
- Node.js version above v15.0.0 being used with strict unhandledRejection exiting
- Next.js version v12.2.3
- Using next start or a custom server
Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where next-server isn't being shared across requests.

Patches

https://github.com/vercel/next.js/releases/tag/v12.2.4

(GitHub Advisory)

5.3

CVSS Score

Basic Information

CVE ID

CVE-2022-36046

GHSA ID

GHSA-wff4-fpwg-qqv3

EPSS Score

CWE

CWE-248

Published

8/30/2022

Updated

1/29/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
next	npm	= 12.2.3	12.2.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unhandled promise rejections in edge runtime and server request handling paths. The v12.2.4 release specifically mentions fixing edge runtime rejections (#39091), indicating runEdgeFunction was a source of uncaught exceptions. The Server.handleRequest is implicated as the entry point for custom server implementations where these rejections would bubble up. Both functions would appear in stack traces when processing malicious requests that trigger rejected promises, matching the described crash scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n sp**i*i* r*qu*sts *r* m*** to t** N*xt.js s*rv*r it **n **us* *n `un**n*l**R*j**tion` in t** s*rv*r w*i** **n *r*s* t** pro**ss to *xit in sp**i*i* No**.js v*rsions wit* stri*t `un**n*l**R*j**tion` **n*lin*. - *****t**: *ll o* t**

Reasoning

T** vuln*r**ility st*ms *rom un**n*l** promis* r*j**tions in **** runtim* *n* s*rv*r r*qu*st **n*lin* p*t*s. T** v**.*.* r*l**s* sp**i*i**lly m*ntions *ixin* **** runtim* r*j**tions (#*****), in*i**tin* run*****un*tion w*s * sour** o* un**u**t *x**pt

5.3

Basic Information

Concerned about an active attack path?

CVE-2022-36046: Unexpected server crash in Next.js

Impact

Patches

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-36046:
Unexpected server crash in Next.js

Vulnerability Intelligence
Miggo AI