CVE-2021-43803: 
JavaScript vulnerability analysis and mitigation

CVE-2021-43803 affects Next.js, a React framework, in versions prior to 12.0.5 or 11.1.3. The vulnerability was discovered and disclosed in December 2021. The issue affects deployments using Next.js versions above 11.1.0 and below 12.0.5, running on Node.js versions above 15.0.0, and using next start or a custom server (GitHub Advisory).

The vulnerability occurs when invalid or malformed URLs are processed by the Next.js server, leading to insufficient error handling. When a URL that cannot be parsed is provided to next-server, an unhandledPromiseRejection could occur. While this only produces a warning in Node.js versions below 15.0.0, it becomes a fatal issue in Node.js versions above 15.0.0, causing the server process to exit. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is a Denial of Service condition. Remote attackers can crash vulnerable systems by sending requests containing maliciously crafted URLs, resulting in server termination due to an unhandled exception. This can lead to unexpected server crashes and service disruption (FortiGuard).

The vulnerability has been patched in Next.js versions 12.0.5 and 11.1.3. Users are recommended to upgrade to these versions or later. Notably, deployments on Vercel and similar environments where invalid requests are filtered before reaching Next.js are not affected by this vulnerability. The patch ensures proper handling of invalid URLs by responding with a 400 status code for invalid requests (GitHub Release).

The vulnerability was discovered by GitHub user hopeless-programmer-online, and the Next.js team acknowledged their investigation and discovery of the original bug. The team has implemented regression tests for this attack in their security integration test suite and encouraged responsible disclosure of future reports through security@vercel.com (GitHub Release).