CVE-2021-37699
Open Redirect vulnerability in next (npm)
What is CVE-2021-37699 About?
This vulnerability in Next.js versions 10.0.5 to 10.2.0 and 11.0.0 to 11.0.1 allows for an open redirect to external sites through specially encoded paths when `pages/_error.js` is statically generated. While not directly harmful, it enables phishing attacks by redirecting users from a trusted domain. Exploitation involves crafting a URL with a specially encoded path.
Affected Software
Technical Details
The vulnerability occurs in Next.js applications where pages/_error.js is statically generated and certain versions are in use. Specially encoded paths within the URL, particularly those that bypass typical URL parsing or sanitization mechanisms, can be misinterpreted by Next.js. This misinterpretation allows an attacker to inject an external URL in a way that, when the error page is triggered, the user is redirected to an arbitrary attacker-controlled domain. The mechanism likely involves improper handling of path segments or URL decoding, allowing an attacker to escape the intended domain context. For instance, a URL like https://trusted.com/%2F%2Fattacker.com might redirect to attacker.com instead of serving an error page on trusted.com.
What is the Impact of CVE-2021-37699?
Successful exploitation may allow attackers to redirect users to arbitrary external websites, often leveraged for phishing attacks or credential harvesting, by abusing the trust of the original domain.
What is the Exploitability of CVE-2021-37699?
Exploitation involves crafting a specific URL with a specially encoded path that triggers the open redirect. The complexity is low, as it mainly requires knowledge of the encoding bypass. There are no authentication or privilege requirements; the attacker simply needs to entice a user to click on a malicious link pointing to the vulnerable Next.js application. This is a remote exploit. The special conditions include the use of pages/_error.js (without getInitialProps for some versions) and next export for others. The likelihood of exploitation is higher in applications that do not implement proper URL sanitization and where users might be susceptible to social engineering for clicking malicious links.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-37699?
Available Upgrade Options
- next
- >0.9.9, <11.1.0 → Upgrade to 11.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/vercel/next.js/releases/tag/v11.1.0
- https://nvd.nist.gov/vuln/detail/CVE-2021-37699
- https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9
- https://github.com/vercel/next.js/releases/tag/v11.1.0
- https://osv.dev/vulnerability/GHSA-vxf5-wxwp-m7g9
- https://github.com/vercel/next.js
- https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9
What are Similar Vulnerabilities to CVE-2021-37699?
Similar Vulnerabilities: CVE-2020-28469 , CVE-2021-23383 , CVE-2022-24330 , CVE-2022-31189 , CVE-2023-35661
