CVE-2022-21721 is a medium-severity vulnerability affecting Next.js, a popular React framework used for server-side rendering and static site generation. The vulnerability exists in versions starting from 12.0.0 up to but not including 12.0.9, specifically impacting deployments that utilize the built-in internationalization (i18n) functionality. The issue allows an unauthenticated attacker to trigger a denial of service (DoS) condition by sending crafted requests targeting the i18n routing mechanism. This vulnerability requires that the Next.js application be run using 'next start' or a custom server setup, as opposed to managed environments like Vercel, which filter invalid requests and thus are not affected. The attack vector involves sending requests to paths such as '/{locale}/_next/' that exploit the i18n routing logic, causing resource exhaustion or application crashes. The vulnerability does not impact confidentiality or integrity but affects availability, making the application unresponsive to legitimate users. A patch was released in version 12.0.9 of Next.js that addresses this issue. Until upgrading is feasible, a recommended workaround is to block requests matching the pattern '/{locale}/_next/' from reaching the Next.js server. The CVSS v3.1 score is 5.9 (medium), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, and impact limited to availability. No known exploits in the wild have been reported to date.

For European organizations, this vulnerability poses a risk primarily to web applications built with Next.js versions 12.0.0 through 12.0.8 that use the i18n feature and are self-hosted or run on custom servers without upstream filtering. The DoS attack can disrupt availability of public-facing websites or internal portals, potentially causing service outages, loss of customer trust, and operational disruption. Organizations relying on Next.js for multilingual content delivery may experience degraded user experience or downtime, impacting e-commerce, government services, media, and other sectors with significant web presence. Since the vulnerability does not affect deployments on Vercel or similar platforms that filter requests, organizations using such managed services are less at risk. However, self-hosted environments without proper request filtering remain vulnerable. The impact is availability-focused and does not compromise data confidentiality or integrity, but service disruption can have significant business consequences, especially for high-traffic or critical applications.

1. Upgrade Next.js to version 12.0.9 or later immediately to apply the official patch that fixes the vulnerability. 2. If upgrading is not immediately possible, implement network-level or application-level filtering to block requests matching the pattern '/{locale}/_next/' to prevent malicious requests from reaching the Next.js server. This can be done via web application firewalls (WAF), reverse proxies, or server configuration rules. 3. Review server and application logs to detect unusual request patterns targeting i18n routes and monitor for potential DoS attempts. 4. For organizations using custom servers, ensure that input validation and rate limiting are in place to mitigate abuse of routing mechanisms. 5. Consider migrating to managed hosting platforms like Vercel that inherently filter invalid requests if operationally feasible. 6. Conduct regular dependency audits and vulnerability scans to detect outdated Next.js versions and other vulnerable components. 7. Educate development and operations teams about the importance of timely patching and secure configuration of internationalization features.