CVE-2023-46298
EPSS 0.37%Next.js missing cache-control header may lead to CDN caching empty reply
發布日:2023/10/22修改日:2023/11/8
描述
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.
受影響套件(1)
- npm/next>= 0.9.9, < 13.4.20-canary.13
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-46298
- PATCHhttps://github.com/vercel/next.js
- WEBhttps://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648
- WEBhttps://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13
- WEBhttps://github.com/vercel/next.js/issues/45301
- WEBhttps://github.com/vercel/next.js/pull/54732