Nextjs ResponseCookies function crashes with unhandled exception on decodeURIComponent if cookies has any string with % on it. #70523
Labels
bug
Issue was opened via the bug report template.
Middleware
Related to Next.js Middleware.
Runtime
Related to Node.js or Edge Runtime with Next.js.
Link to the code that reproduces this issue
https://github.com/Sathosk/reponse-cookies-issue-reproduction-app
To Reproduce
Current vs. Expected behavior
The application should handle the situation gracefully and not crash.
Instead, the following error occurs:
Provide environment information
Which area(s) are affected? (Select all that apply)
Middleware, Runtime
Which stage(s) are affected? (Select all that apply)
next dev (local), next build (local), next start (local), Other (Deployed)
Additional context
The issue seems to stem from the ResponseCookies function that Next.js provides for creating a new Set-Cookie header.
Before version 14.2.8, cookies set in middleware could not be synced with RSC due to the request-response cycle. To bypass this issue, I implemented a custom function:
This approach worked, but I faced the same issue whenever a cookie contained a % character. It's not uncommon for cookies to have such characters.
The core issue here is that ResponseCookies is not handling exceptions thrown by the decodeURIComponent function. My workaround was to write a custom parser for handling cookies, and I have not faced any problems since.
However, starting with version 14.2.8, the functionality of merging cookies from middleware was added in the source code, essentially doing what I was doing. But the problem persists with the use of ResponseCookies, which crashes the application when decodeURIComponent throws an exception.
While I can implement a fix on my end, I believe this issue should be handled by the framework to prevent similar crashes.
The text was updated successfully, but these errors were encountered: