CVE-2021-37699
Open Redirect in Next.js versions below 11.1.0
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0.
Next.js es un marco de desarrollo de sitios web de código abierto que se utilizará con la biblioteca React. En las versiones afectadas, rutas especialmente codificadas podrían ser usadas cuando pages/_error.js se generaron estáticamente, lo que permite que se produzca un redireccionamiento abierto a un sitio externo. En general, esta redirección no daña directamente a los usuarios, aunque puede permitir ataques de phishing al redirigir al dominio de un atacante desde un dominio de confianza. Recomendamos a todos que se actualicen, independientemente de si pueden reproducir el problema o no. El problema se corrigió en la versión 11.1.0
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-07-29 CVE Reserved
- 2021-08-11 CVE Published
- 2024-04-26 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/vercel/next.js/releases/tag/v11.1.0 | Release Notes | |
https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Vercel Search vendor "Vercel" | Next.js Search vendor "Vercel" for product "Next.js" | >= 10.0.5 <= 10.2.0 Search vendor "Vercel" for product "Next.js" and version " >= 10.0.5 <= 10.2.0" | node.js |
Affected
| ||||||
Vercel Search vendor "Vercel" | Next.js Search vendor "Vercel" for product "Next.js" | >= 11.0.0 <= 11.0.1 Search vendor "Vercel" for product "Next.js" and version " >= 11.0.0 <= 11.0.1" | node.js |
Affected
|