CVE-2020-15242: URL Redirection to Untrusted Site (Open Redirect)

October 8, 2020 (updated December 3, 2020)

Next.js is vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain.

References

nvd.nist.gov/vuln/detail/CVE-2020-15242

Detect and mitigate CVE-2020-15242 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →