CVE-2022-21721

Name of the Vulnerable Software and Affected Versions Next.js versions 12.0.0 through 12.0.8

Description The issue allows a bad actor to trigger a denial of service attack for anyone using i18n functionality. To be affected, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected.

Recommendations For Next.js versions 12.0.0 through 12.0.8, upgrade to next@12.0.9 to mitigate the issue. As a temporary workaround, ensure /${locale}/ next/ is blocked from reaching the Next.js instance until it becomes feasible to upgrade.