Platform
nodejs
Component
next
Fixed in
11.1.1
11.1.0
CVE-2021-37699 describes an Open Redirect vulnerability discovered in Next.js, a popular React-based website development framework. This flaw allows attackers to redirect users to arbitrary external websites, potentially facilitating phishing attacks. The vulnerability impacts versions 10.0.5 through 10.2.0 and 11.0.0 through 11.0.1 when pages/_error.js is statically generated without proper input validation. A fix is available in Next.js version 11.1.0.
The primary impact of CVE-2021-37699 is the potential for phishing attacks. An attacker could craft a malicious URL that, when clicked, redirects a user from a trusted Next.js domain to a fraudulent website designed to steal credentials or sensitive information. While the redirect itself doesn't directly harm the user's system, the subsequent phishing attack could have severe consequences, including account compromise and data theft. The vulnerability's reliance on pages/_error.js being statically generated limits its scope, but any application utilizing this configuration pattern is potentially at risk. This is similar to other open redirect vulnerabilities where trusted domains are leveraged to gain user trust before redirecting to malicious sites.
CVE-2021-37699 was publicly disclosed on August 12, 2021. There is no indication of this vulnerability being actively exploited in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the ease with which the vulnerability can be triggered. The EPSS score is likely low, reflecting the lack of active exploitation and the relatively limited scope of the vulnerability.
Exploit Status
EPSS
0.43% (62% percentile)
CVSS Vector
The recommended mitigation for CVE-2021-37699 is to upgrade to Next.js version 11.1.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block redirects to suspicious domains. Additionally, carefully review and sanitize any user-supplied input used in redirect URLs within your pages/_error.js file. Ensure proper validation and encoding to prevent malicious path manipulation. After upgrading, confirm the fix by attempting to trigger the redirect with a known malicious URL; the redirect should be blocked or handled securely.
Update Next.js to version 11.1.0 or higher. This will fix the open redirect vulnerability. You can update using npm or yarn.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-37699 is a vulnerability in Next.js allowing attackers to redirect users to malicious sites via specially crafted URLs, potentially leading to phishing attacks. It affects versions 10.0.5-10.2.0 and 11.0.0-11.0.1.
You are affected if you are using Next.js versions 10.0.5 through 10.2.0 or 11.0.0 through 11.0.1 and utilizing pages/_error.js without proper input validation.
Upgrade to Next.js version 11.1.0 or later to resolve the vulnerability. As a temporary workaround, implement a WAF rule to block suspicious redirects.
There is currently no evidence of CVE-2021-37699 being actively exploited in the wild.
Refer to the Next.js security advisory: https://github.com/vercel/next.js/security/advisories/GHSA-5g9j-844x-993c
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.