CVE-2021-43803
HIGHNext.js 11.1.0-11.1.2 and 12.0.0-12.0.4 - Denial of Service via Malformed URL
Title source: llmDescription
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.
References (5)
Core 5
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx
Patch, Third Party Advisory x_refsource_misc
https://github.com/vercel/next.js/pull/32080
Patch, Third Party Advisory x_refsource_misc
https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/vercel/next.js/releases/tag/v11.1.3
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/vercel/next.js/releases/v12.0.5
Scores
CVSS v3
7.5
EPSS
0.4482
EPSS Percentile
98.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-20
Status
published
Products (2)
npm/next
12.0.0 - 12.0.5npm
vercel/next.js
11.1.0 - 11.1.3
Published
Dec 10, 2021
Tracked Since
Feb 18, 2026