CVE-2021-43803

Name
CVE-2021-43803
Description
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/vercel/next.js/releases/v12.0.5
MISC https://github.com/vercel/next.js/pull/32080
MISC https://github.com/vercel/next.js/releases/tag/v11.1.3
MISC https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264
CONFIRM https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 15.0.0 <= None
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* next.js >= 11.1.0 < 11.1.3
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* next.js >= 12.0.0 < 12.0.5

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nodejs edge-main 16.13.2-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
nodejs 3.15-main 16.13.2-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable