CVE-2021-43803 : Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3,

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.

Published 2021-12-10 00:15:12

Updated 2024-03-12 16:03:46

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2021-43803

Vercel » Next.js » For Node.js
Versions from including (>=) 12.0.0 and before (<) 12.0.5
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
Matching versions
When used together with: Nodejs » Node.js
Vercel » Next.js » For Node.js
Versions from including (>=) 11.1.0 and before (<) 11.1.3
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
Matching versions
When used together with: Nodejs » Node.js

Exploit prediction scoring system (EPSS) score for CVE-2021-43803

EPSS FAQ

1.70%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 81 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-43803

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2021-43803

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2021-43803

https://github.com/vercel/next.js/releases/v12.0.5

Release v12.0.5 · vercel/next.js · GitHub
Release Notes;Third Party Advisory
https://github.com/vercel/next.js/releases/tag/v11.1.3

Release v11.1.3 · vercel/next.js · GitHub
Release Notes;Third Party Advisory
https://github.com/vercel/next.js/pull/32080

Fix server be killed by handling unhandled promise with status 500 by chentsulin · Pull Request #32080 · vercel/next.js · GitHub
Patch;Third Party Advisory
https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx

Unexpected server crash in Next.js versions above 11.1.0 and below 12.0.5 · Advisory · vercel/next.js · GitHub
Patch;Third Party Advisory
https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264

Ensure invalid URLs respond with 400 correctly (#32092) · vercel/next.js@6d98b4f · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-43803

Products affected by CVE-2021-43803

Exploit prediction scoring system (EPSS) score for CVE-2021-43803

CVSS scores for CVE-2021-43803

CWE ids for CVE-2021-43803

References for CVE-2021-43803