cbcvebase.
CVE-2023-46298
published 2023-10-22

CVE-2023-46298: Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service…

PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.28%
66.5th percentile
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.

Affected

3 ranges
VendorProductVersion rangeFixed in
nextnext>= 0.9.9 < 13.4.20-canary.1313.4.20-canary.13
vercelnext.js< 13.4.2013.4.20
vercelnext.js
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.