CVE-2022-36046 is a medium-severity vulnerability affecting Next.js version 12.2.3, a popular React framework used for building web applications. The vulnerability arises from an uncaught exception scenario (CWE-248) when running Next.js with Node.js versions above 15.0.0 under specific conditions. Specifically, it manifests if the Node.js environment is configured with the strict 'unhandledRejection' policy that causes the process to exit on unhandled promise rejections, and if the application is started using 'next start' or a custom server setup where the 'next-server' instance is shared across requests. This combination can lead to unhandled exceptions causing the Node.js process to terminate unexpectedly. Notably, deployments on Vercel's managed platform or similar environments where 'next-server' instances are not shared across requests are not affected. The vulnerability does not have known exploits in the wild, and no official patches or fixes are referenced in the provided information. The root cause is the lack of proper exception handling for certain asynchronous operations, which leads to process crashes under strict unhandled rejection policies. This can result in denial of service conditions for affected applications, impacting availability.

For European organizations relying on Next.js 12.2.3 in production environments with Node.js versions above 15.0.0, this vulnerability can cause unexpected application downtime due to process crashes triggered by unhandled promise rejections. This primarily impacts the availability of web services, potentially disrupting business operations, customer access, and internal workflows. Organizations using custom server implementations or the 'next start' command in self-managed environments are at risk, whereas those deploying on Vercel or similar managed platforms are not affected. The impact is particularly relevant for sectors with high web service availability requirements such as e-commerce, financial services, healthcare, and public sector digital services. While confidentiality and integrity are not directly compromised by this vulnerability, the denial of service could indirectly affect business continuity and user trust. Given the absence of known exploits, the immediate threat level is moderate, but the potential for denial of service warrants proactive mitigation.

European organizations should first identify any applications running Next.js version 12.2.3 with Node.js versions above 15.0.0, especially those using 'next start' or custom server configurations. Immediate mitigation steps include: 1) Upgrading Next.js to a later version where this issue is resolved or applying any vendor-provided patches once available. 2) Reviewing and adjusting Node.js runtime configurations to avoid strict 'unhandledRejection' policies that cause process exit, or implementing robust global exception handlers to catch unhandled promise rejections gracefully. 3) Refactoring custom server implementations to avoid sharing 'next-server' instances across requests, or migrating to deployment environments like Vercel that isolate server instances per request. 4) Implementing process monitoring and automatic restart mechanisms (e.g., using PM2 or systemd) to minimize downtime in case of crashes. 5) Conducting thorough testing of application error handling paths to ensure no unhandled exceptions can cause process termination. These steps go beyond generic advice by focusing on specific configuration and architectural changes relevant to this vulnerability.