CVE-2021-43803
Denial of Service vulnerability in next (npm)
What is CVE-2021-43803 About?
This vulnerability in Next.js versions before 12.0.5 or 11.1.3 can lead to a server crash when processing invalid or malformed URLs. This makes the application susceptible to a denial of service attack, disrupting its availability. Exploitation is relatively easy for an attacker who can send crafted HTTP requests.
Affected Software
- next
- >0.9.9, <11.1.3
- >12.0.0, <12.0.5
Technical Details
The vulnerability in Next.js (versions between 11.1.0 and 12.0.5, or 11.1.3) affects deployments using next start or a custom server with Node.js 15.0.0 or higher. Malformed or invalid URLs submitted to the Next.js application trigger an unhandled error or exception within the server's request handling logic, leading to a server crash. This is a form of Denial of Service (DoS) because the server process terminates, disrupting service for all users. The exact nature of the 'invalid or malformed URLs' that trigger the crash is not specified beyond that, but it implies a lack of robust error handling or input validation for URL parsing within the affected Next.js and Node.js combination.
What is the Impact of CVE-2021-43803?
Successful exploitation may allow attackers to cause a denial of service by crashing the Next.js server, leading to service unavailability and disruption for all users.
What is the Exploitability of CVE-2021-43803?
Exploitation involves sending a specially crafted, invalid or malformed URL to the Next.js server. This is a relatively low complexity attack. No authentication is required, as the attack targets the server's ability to handle basic HTTP requests. Privilege requirements are none, as any unauthenticated user capable of sending a request can trigger the vulnerability. It is a remote access vulnerability. Special conditions include running Next.js versions above 11.1.0 and below 12.0.5 (or 11.1.3) on Node.js above 15.0.0, and using next start or a custom server. Deployments on platforms like Vercel which filter invalid requests are not affected. Risk factors that increase exploitation likelihood are directly exposing the vulnerable Next.js server to the internet without a protective layer like a reverse proxy that performs URL validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-43803?
Available Upgrade Options
- next
- >0.9.9, <11.1.3 → Upgrade to 11.1.3
- next
- >12.0.0, <12.0.5 → Upgrade to 12.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-43803
- https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx
- https://github.com/vercel/next.js/releases/v12.0.5
- https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264
- https://github.com/vercel/next.js/releases/tag/v11.1.3
- https://osv.dev/vulnerability/GHSA-25mp-g6fv-mqxx
- https://github.com/vercel/next.js
- https://github.com/vercel/next.js/pull/32080
What are Similar Vulnerabilities to CVE-2021-43803?
Similar Vulnerabilities: CVE-2023-38546 , CVE-2023-26115 , CVE-2022-29215 , CVE-2022-21676 , CVE-2021-23382
