CVE-2021-37699
Last modified
CVE-2021-37699 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. EPSS estimates a 1.20% chance of exploitation in the next 30 days.
Description
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vercel | Next.Js | >= 10.0.5, <= 10.2.0 |
| Vercel | Next.Js | >= 11.0.0, <= 11.0.1 |
References
- https://github.com/vercel/next.js/releases/tag/v11.1.0Release Notes, Third Party Advisory
- https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9Third Party Advisory
- https://github.com/vercel/next.js/releases/tag/v11.1.0Release Notes, Third Party Advisory
- https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-37699?
How severe is CVE-2021-37699?
How do I fix CVE-2021-37699?
Are you affected by CVE-2021-37699?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST