Muhammad Rafeh
Next.js
The Next.js team works with security researchers and auditors to prevent against vulnerabilities. We are thankful to Gabriel Benmergui from Robinhood for their investigation and discovery of an open redirect with pages/_error.js and subsequent responsible disclosure.
The reported issue did not directly harm users, but it could allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We've landed a patch in Next.js 11.1 preventing this open redirect from occurring, as well as .
For more details, please read the . We recommend upgrading to the latest version of Next.js to improve the overall security of your application. For future responsible disclosure of reports, email us at security@vercel.com.
Note: Next.js applications hosted on are not affected by this vulnerability (and, therefore, no action is needed for your Next.js apps running on Vercel.
Muhammad Rafeh
Mobile App Developer