CVE-2021-37699
MEDIUMNext.js 10.0.5-10.1.0 and 0.9.9-11.0.0 - Open Redirect via Specially Encoded Paths
Title source: llmDescription
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/vercel/next.js/releases/tag/v11.1.0
Scores
CVSS v3
6.9
EPSS
0.0120
EPSS Percentile
64.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (2)
npm/next
0.9.9 - 11.1.0npm
vercel/next.js
10.0.5 - 10.2.0
Published
Aug 12, 2021
Tracked Since
Feb 18, 2026