6.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-37699

GHSA ID

GHSA-vxf5-wxwp-m7g9

EPSS Score

0.6173%

CWE

CWE-601

Published

8/12/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-37699

CVE-2021-37699: Open Redirect in Next.js

Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.

Impact

Affected: Users of Next.js between 10.0.5 and 10.2.0
Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js without getInitialProps
Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js and next export
Not affected: Deployments on Vercel (vercel.com) are not affected
Not affected: Deployments with pages/404.js
Note that versions prior to 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

Patches

https://github.com/vercel/next.js/releases/tag/v11.1.0

(GitHub Advisory)

6.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-37699

GHSA ID

GHSA-vxf5-wxwp-m7g9

EPSS Score

0.6173%

CWE

CWE-601

Published

8/12/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
next	npm	>= 0.9.9, < 11.1.0	11.1.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability specifically manifests in the static generation logic for pages/_error.js when: 1) No getInitialProps is defined (removing runtime validation), or 2) next export is used (forcing static generation). The advisory indicates improper handling of encoded paths during static HTML generation for error pages, which normally occurs through Next.js' internal static export pipeline. While no explicit function names are disclosed in the advisory, the root cause lies in the framework's path normalization logic during static generation of error pages, as patched in v11.1.0. The combination of version ranges, error page usage patterns, and static export context uniquely identifies this code path as vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

N*xt.js is *n op*n sour** w**sit* **v*lopm*nt *r*m*work to ** us** wit* t** R***t li*r*ry. In *****t** v*rsions sp**i*lly *n*o*** p*t*s *oul* ** us** w**n `p***s/_*rror.js` w*s st*ti**lly **n*r*t**, *llowin* *n op*n r**ir**t to o**ur to *n *xt*rn*l s

Reasoning

T** vuln*r**ility sp**i*i**lly m*ni**sts in t** st*ti* **n*r*tion lo*i* *or p***s/_*rror.js w**n: *) No **tIniti*lProps is ***in** (r*movin* runtim* v*li**tion), or *) n*xt *xport is us** (*or*in* st*ti* **n*r*tion). T** **visory in*i**t*s improp*r *

6.9

Basic Information

Concerned about an active attack path?

CVE-2021-37699: Open Redirect in Next.js

Impact

Patches

6.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI