{"api_version":"1","generated_at":"2026-04-23T06:19:35+00:00","cve":"CVE-2021-43812","urls":{"html":"https://cve.report/CVE-2021-43812","api":"https://cve.report/api/cve/CVE-2021-43812.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-43812","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-43812"},"summary":{"title":"CVE-2021-43812","description":"The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2021-12-16 19:15:00","updated_at":"2021-12-22 03:31:00"},"problem_types":["CWE-601"],"metrics":[],"references":[{"url":"https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-2mqv-4j3r-vjvp","name":"https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-2mqv-4j3r-vjvp","refsource":"CONFIRM","tags":[],"title":"Open redirect · Advisory · auth0/nextjs-auth0 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/auth0/nextjs-auth0/commit/0bbd9f8a0c93af51f607f28633b5fb18c5e48ad6","name":"https://github.com/auth0/nextjs-auth0/commit/0bbd9f8a0c93af51f607f28633b5fb18c5e48ad6","refsource":"MISC","tags":[],"title":"Enforce configured host on user supplied returnTo (#557) · auth0/nextjs-auth0@0bbd9f8 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-43812","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43812","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"43812","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"auth0","cpe5":"nextjs-auth0","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"node.js","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-43812","STATE":"PUBLIC","TITLE":"Open redirect in nextjs-auth0"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"nextjs-auth0","version":{"version_data":[{"version_value":"< 1.6.2"}]}}]},"vendor_name":"auth0"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before 1.6.2 do not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}]},"references":{"reference_data":[{"name":"https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-2mqv-4j3r-vjvp","refsource":"CONFIRM","url":"https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-2mqv-4j3r-vjvp"},{"name":"https://github.com/auth0/nextjs-auth0/commit/0bbd9f8a0c93af51f607f28633b5fb18c5e48ad6","refsource":"MISC","url":"https://github.com/auth0/nextjs-auth0/commit/0bbd9f8a0c93af51f607f28633b5fb18c5e48ad6"}]},"source":{"advisory":"GHSA-2mqv-4j3r-vjvp","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-12-16 19:15:00","lastModifiedDate":"2021-12-22 03:31:00","problem_types":["CWE-601"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:auth0:nextjs-auth0:*:*:*:*:*:node.js:*:*","versionEndExcluding":"1.6.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"43812","Ordinal":"221307","Title":"CVE-2021-43812","CVE":"CVE-2021-43812","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"43812","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}