CVE-2021-43803

Unexpected server crash in Next.js

Description

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.

References

Link	Tags
https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx	third party advisory patch
https://github.com/vercel/next.js/pull/32080	third party advisory patch
https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264	third party advisory patch
https://github.com/vercel/next.js/releases/tag/v11.1.3	third party advisory release notes
https://github.com/vercel/next.js/releases/v12.0.5	third party advisory release notes

Frequently Asked Questions

What is the severity of CVE-2021-43803?: CVE-2021-43803 has been scored as a high severity vulnerability.
How to fix CVE-2021-43803?: To fix CVE-2021-43803, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-43803 being actively exploited in the wild?: It is possible that CVE-2021-43803 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~2% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-43803?: CVE-2021-43803 affects vercel next.js.

Description

Category

CWE-20 – Improper Input Validation

References

Frequently Asked Questions