PT-2021-23945 · Vercel · Next.Js

Timneutkens

Published

2021-12-07

Updated

2026-05-18

CVE-2021-43803

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: Next.js versions prior to 12.0.5 Next.js versions prior to 11.1.3

Description: The issue arises when invalid or malformed URLs are processed, potentially leading to a server crash. This can occur in deployments using Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. However, deployments on Vercel and similar environments where invalid requests are filtered before reaching Next.js are not affected.

Recommendations: For Next.js versions prior to 12.0.5, update to version 12.0.5 or later to resolve the issue. For Next.js versions prior to 11.1.3, update to version 11.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the server or implementing filtering for invalid requests to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CLEANSTART-2026-BD71263

CLEANSTART-2026-IS74202

CLEANSTART-2026-JR35772

CLEANSTART-2026-JY06700

CLEANSTART-2026-KN34553

CLEANSTART-2026-KZ45320

CLEANSTART-2026-LJ44720

CLEANSTART-2026-LN12820

CLEANSTART-2026-TX00223

CLEANSTART-2026-WI75198

CVE-2021-43803

GHSA-25MP-G6FV-MQXX

Affected Products

Next.Js

PT-2021-23945 · Vercel · Next.Js

CVE-2021-43803

Weakness Enumeration

Related Identifiers

Affected Products

References · 156