CVE-2023-46298
published 2023-10-22CVE-2023-46298: Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.28%
66.5th percentile
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 0.9.9 < 13.4.20-canary.13 | 13.4.20-canary.13 |
| vercel | next.js | < 13.4.20 | 13.4.20 |
| vercel | next.js | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Next.js missing cache-control header may lead to CDN caching empty reply
osv·2023-10-22
CVE-2023-46298 [LOW] Next.js missing cache-control header may lead to CDN caching empty reply
Next.js missing cache-control header may lead to CDN caching empty reply
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.
GHSA
Next.js missing cache-control header may lead to CDN caching empty reply
ghsa·2023-10-22
CVE-2023-46298 [LOW] Next.js missing cache-control header may lead to CDN caching empty reply
Next.js missing cache-control header may lead to CDN caching empty reply
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13https://github.com/vercel/next.js/issues/45301https://github.com/vercel/next.js/pull/54732https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13https://github.com/vercel/next.js/issues/45301https://github.com/vercel/next.js/pull/54732
2023-10-22
Published