CVE-2021-43803
Unexpected server crash in Next.js
In short
Next.js versions 11.1.0–12.0.4 crash when receiving malformed URLs, causing the server to stop working temporarily. This affects websites using these specific versions with Node.js 15+.
Technical detail
Improper input validation (CWE-20) in URL parsing allows attackers to send malformed URLs that trigger an unhandled exception, resulting in denial of service. The attack vector is network-based and requires no authentication; affected deployments must use Next.js 11.1.0–12.0.4, Node.js 15.0.0+, and next start or custom servers (managed platforms like Vercel filter requests upstream).
Summary generated and translated by AI from the official description.
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
vercel · next.jsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264https://github.com/vercel/next.js/pull/32080https://github.com/vercel/next.js/releases/tag/v11.1.3https://github.com/vercel/next.js/releases/v12.0.5https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx