CVE-2021-37699 Overview
Next.js is an open source website development framework to be used with the React library. In affected versions, specially encoded paths could be used when pages/_error.js was statically generated, allowing an open redirect to occur to an external site. While this redirect does not directly harm users, it can enable phishing attacks by redirecting users from a trusted domain to an attacker-controlled domain.
Critical Impact
Open redirect vulnerability enables phishing attacks by abusing trust in legitimate Next.js applications to redirect users to malicious external sites.
Affected Products
- Vercel Next.js versions prior to 11.1.0
- Next.js applications with statically generated pages/_error.js
- Node.js deployments using vulnerable Next.js versions
Discovery Timeline
- 2021-08-12 - CVE CVE-2021-37699 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-37699
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site, also known as Open Redirect). The issue occurs in Next.js applications where pages/_error.js has been statically generated. Under these conditions, an attacker can craft specially encoded URL paths that bypass normal validation and cause the application to redirect users to an arbitrary external site.
Open redirect vulnerabilities are particularly dangerous in the context of phishing attacks. When a trusted domain like a legitimate company website redirects to a malicious site, users are more likely to trust the destination since they believe they are navigating from a safe source. This exploitation of domain trust is a well-known social engineering technique.
The vulnerability requires user interaction—a victim must click on a maliciously crafted link that points to the vulnerable Next.js application. The application then processes the specially encoded path and performs the redirect to the attacker's domain.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and URL sanitization within the Next.js routing mechanism when handling error pages. When pages/_error.js is statically generated, the framework fails to properly validate and sanitize specially encoded path segments, allowing attackers to inject external URLs that trigger redirects outside the application's intended domain.
Attack Vector
The attack is network-based and requires user interaction. An attacker would craft a malicious URL containing specially encoded path segments pointing to a vulnerable Next.js application. When a victim clicks on this link (typically delivered through email, social media, or other communication channels), the Next.js application processes the request and redirects the user to the attacker's external site.
This attack flow typically involves:
- Attacker identifies a Next.js application with statically generated pages/_error.js
- Attacker crafts a URL with specially encoded path components containing an external redirect destination
- Victim clicks the malicious link, trusting the legitimate domain
- Next.js application processes the request and redirects to the attacker's site
- Victim is now on a phishing site that may impersonate the original trusted domain
Detection Methods for CVE-2021-37699
Indicators of Compromise
- Unusual URL patterns in access logs containing encoded characters in error page paths
- Redirect responses (HTTP 3xx) pointing to external domains originating from error page routes
- User reports of unexpected redirects when accessing legitimate application URLs
Detection Strategies
- Monitor web server access logs for requests to error pages containing unusual URL-encoded characters
- Implement Content Security Policy (CSP) headers to detect and block unauthorized redirects
- Review referrer logs for patterns indicating users arriving at external sites from your application
- Deploy web application firewall (WAF) rules to detect encoded redirect attempts
Monitoring Recommendations
- Enable detailed logging for all HTTP 3xx redirect responses from your Next.js applications
- Set up alerts for redirect responses pointing to domains outside your organization's allowlist
- Monitor for spikes in error page requests that may indicate reconnaissance activity
- Track user-reported phishing attempts that reference your organization's domains
How to Mitigate CVE-2021-37699
Immediate Actions Required
- Upgrade all Next.js installations to version 11.1.0 or later immediately
- Audit your Next.js applications to identify which have statically generated pages/_error.js
- Review access logs for evidence of exploitation attempts
- Notify users if potential phishing campaigns leveraging this vulnerability are detected
Patch Information
The vulnerability has been patched in Next.js release 11.1.0. Vercel recommends that all users upgrade regardless of whether the issue can be reproduced in their specific configuration. The patch information and release notes are available in the GitHub Release v11.1.0. Additional details about the vulnerability can be found in the GitHub Security Advisory GHSA-vxf5-wxwp-m7g9.
Workarounds
- If immediate upgrade is not possible, consider switching from static generation to server-side rendering for error pages
- Implement additional redirect validation at the reverse proxy or load balancer level
- Deploy a web application firewall (WAF) with rules to block specially encoded redirect attempts
- Use Content Security Policy headers to restrict where the application can redirect users
# Upgrade Next.js to patched version
npm install next@11.1.0
# Verify installed version
npm list next
# For yarn users
yarn add next@11.1.0
yarn list next
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
