next
में ठीक किया गया
11.1.1
11.1.0
CVE-2021-37699 describes an Open Redirect vulnerability discovered in Next.js, a popular React-based website development framework. This flaw allows attackers to redirect users to arbitrary external websites, potentially facilitating phishing attacks. The vulnerability impacts versions 10.0.5 through 10.2.0 and 11.0.0 through 11.0.1 when pages/_error.js is statically generated without proper input validation. A fix is available in Next.js version 11.1.0.
The primary impact of CVE-2021-37699 is the potential for phishing attacks. An attacker could craft a malicious URL that, when clicked, redirects a user from a trusted Next.js domain to a fraudulent website designed to steal credentials or sensitive information. While the redirect itself doesn't directly harm the user's system, the subsequent phishing attack could have severe consequences, including account compromise and data theft. The vulnerability's reliance on pages/_error.js being statically generated limits its scope, but any application utilizing this configuration pattern is potentially at risk. This is similar to other open redirect vulnerabilities where trusted domains are leveraged to gain user trust before redirecting to malicious sites.
CVE-2021-37699 was publicly disclosed on August 12, 2021. There is no indication of this vulnerability being actively exploited in the wild, nor is it listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the ease with which the vulnerability can be triggered. The EPSS score is likely low, reflecting the lack of active exploitation and the relatively limited scope of the vulnerability.
Organizations and developers using Next.js for website development, particularly those relying on the pages/_error.js file for error handling and static generation, are at risk. Shared hosting environments where multiple applications share the same server and configuration are also potentially vulnerable if they are running affected versions of Next.js.
• nodejs / server:
find /path/to/nextjs/pages/ -name _error.js -print• generic web:
curl -I https://your-nextjs-app.com/malicious-redirect | grep Location• generic web: Inspect access logs for requests containing suspicious redirect URLs (e.g., containing encoded characters or unusual domain names).
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.43% (62% शतमक)
CVSS वेक्टर
The recommended mitigation for CVE-2021-37699 is to upgrade to Next.js version 11.1.0 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block redirects to suspicious domains. Additionally, carefully review and sanitize any user-supplied input used in redirect URLs within your pages/_error.js file. Ensure proper validation and encoding to prevent malicious path manipulation. After upgrading, confirm the fix by attempting to trigger the redirect with a known malicious URL; the redirect should be blocked or handled securely.
Actualice Next.js a la versión 11.1.0 o superior. Esto solucionará la vulnerabilidad de redirección abierta. Puede actualizar usando npm o yarn.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2021-37699 is a vulnerability in Next.js allowing attackers to redirect users to malicious sites via specially crafted URLs, potentially leading to phishing attacks. It affects versions 10.0.5-10.2.0 and 11.0.0-11.0.1.
You are affected if you are using Next.js versions 10.0.5 through 10.2.0 or 11.0.0 through 11.0.1 and utilizing pages/_error.js without proper input validation.
Upgrade to Next.js version 11.1.0 or later to resolve the vulnerability. As a temporary workaround, implement a WAF rule to block suspicious redirects.
There is currently no evidence of CVE-2021-37699 being actively exploited in the wild.
Refer to the Next.js security advisory: https://github.com/vercel/next.js/security/advisories/GHSA-5g9j-844x-993c
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।