Impact

• Affected: All of the following must be true to be affected by this CVE
  • Next.js versions above v11.1.0 and below v12.0.5
  • Node.js above v15.0.0 being used
  • Using next start or a custom server
• Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reaching Next.js.

Patches

https://github.com/vercel/next.js/releases/tag/v12.0.5
https://github.com/vercel/next.js/releases/tag/v11.1.3