// For flags

CVE-2021-37699

Open Redirect in Next.js versions below 11.1.0

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0.

Next.js es un marco de desarrollo de sitios web de código abierto que se utilizará con la biblioteca React. En las versiones afectadas, rutas especialmente codificadas podrían ser usadas cuando pages/_error.js se generaron estáticamente, lo que permite que se produzca un redireccionamiento abierto a un sitio externo. En general, esta redirección no daña directamente a los usuarios, aunque puede permitir ataques de phishing al redirigir al dominio de un atacante desde un dominio de confianza. Recomendamos a todos que se actualicen, independientemente de si pueden reproducir el problema o no. El problema se corrigió en la versión 11.1.0

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-07-29 CVE Reserved
  • 2021-08-11 CVE Published
  • 2024-04-26 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Vercel
Search vendor "Vercel"
Next.js
Search vendor "Vercel" for product "Next.js"
>= 10.0.5 <= 10.2.0
Search vendor "Vercel" for product "Next.js" and version " >= 10.0.5 <= 10.2.0"
node.js
Affected
Vercel
Search vendor "Vercel"
Next.js
Search vendor "Vercel" for product "Next.js"
>= 11.0.0 <= 11.0.1
Search vendor "Vercel" for product "Next.js" and version " >= 11.0.0 <= 11.0.1"
node.js
Affected