CVE-2023-46298
EPSS 0.37%Next.js missing cache-control header may lead to CDN caching empty reply
Published: 10/22/2023Modified: 11/8/2023
Also known as:GHSA-c59h-r6p8-q9wc
Description
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.
Affected packages (1)
- npm/next>= 0.9.9, < 13.4.20-canary.13
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-46298
- PATCHhttps://github.com/vercel/next.js
- WEBhttps://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648
- WEBhttps://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13
- WEBhttps://github.com/vercel/next.js/issues/45301
- WEBhttps://github.com/vercel/next.js/pull/54732