7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-43803

GHSA ID

GHSA-25mp-g6fv-mqxx

EPSS Score

0.83496%

CWE

CWE-20

Published

12/7/2021

Updated

3/13/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-43803

CVE-2021-43803: Unexpected server crash in Next.js.

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package next hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-43803

GHSA ID

GHSA-25mp-g6fv-mqxx

EPSS Score

0.83496%

CWE

CWE-20

Published

12/7/2021

Updated

3/13/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
next	npm	>= 12.0.0, < 12.0.5	12.0.5
next	npm	>= 0.9.9, < 11.1.3	11.1.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper input validation in request handling. The GitHub commit 6d98b4f shows added try-catch blocks around the request processing logic in next-server.ts, specifically handling DecodeError and invalid URLs. The patch adds error handling that returns 400 responses instead of allowing crashes. This matches the CWE-20 (Improper Input Validation) classification and the vulnerability description of server crashes from malformed URLs. The handleRequest() function is the entry point for request processing where URL validation occurs, making it the clear vulnerable component before patching.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

N*xt.js is * R***t *r*m*work. In v*rsions o* N*xt.js prior to **.*.* or **.*.*, inv*li* or m*l*orm** URLs *oul* l*** to * s*rv*r *r*s*. In or**r to ** *****t** *y t*is issu*, t** **ploym*nt must us* N*xt.js v*rsions **ov* **.*.* *n* **low **.*.*, No*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r input v*li**tion in r*qu*st **n*lin*. T** *it*u* *ommit ******* s*ows ***** try-**t** *lo*ks *roun* t** r*qu*st pro**ssin* lo*i* in `n*xt-s*rv*r.ts`, sp**i*i**lly **n*lin* `***o***rror` *n* inv*li* URLs. T** p*

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-43803: Unexpected server crash in Next.js.

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI