Skip to content

Next.js missing cache-control header may lead to CDN caching empty reply

Low severity GitHub Reviewed Published Oct 22, 2023 to the GitHub Advisory Database • Updated Nov 9, 2023

Package

npm next (npm)

Affected versions

>= 0.9.9, < 13.4.20-canary.13

Patched versions

13.4.20-canary.13

Description

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

References

Published by the National Vulnerability Database Oct 22, 2023
Published to the GitHub Advisory Database Oct 22, 2023
Reviewed Oct 24, 2023
Last updated Nov 9, 2023

Severity

Low

EPSS score

0.071%
(33rd percentile)

Weaknesses

No CWEs

CVE ID

CVE-2023-46298

GHSA ID

GHSA-c59h-r6p8-q9wc

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.