CVE-2023-46298

Summary

CVE	CVE-2023-46298
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-10-22 03:15:00 UTC
Updated	2023-10-28 03:30:00 UTC
Description	Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.

Risk And Classification

Problem Types: NVD-CWE-noinfo

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Vercel	Next.js	All	All	All	All
Application	Vercel	Next.js	13.4.20	canary0	All	All
Application	Vercel	Next.js	13.4.20	canary1	All	All
Application	Vercel	Next.js	13.4.20	canary10	All	All
Application	Vercel	Next.js	13.4.20	canary11	All	All
Application	Vercel	Next.js	13.4.20	canary12	All	All
Application	Vercel	Next.js	13.4.20	canary2	All	All
Application	Vercel	Next.js	13.4.20	canary3	All	All
Application	Vercel	Next.js	13.4.20	canary4	All	All
Application	Vercel	Next.js	13.4.20	canary5	All	All
Application	Vercel	Next.js	13.4.20	canary6	All	All
Application	Vercel	Next.js	13.4.20	canary7	All	All
Application	Vercel	Next.js	13.4.20	canary8	All	All
Application	Vercel	Next.js	13.4.20	canary9	All	All

References

Reference	Source	Link	Tags
Missing cache control directive for server side props response when using middleware and prefetch · Issue #45301 · vercel/next.js · GitHub	MISC	github.com
Comparing v13.4.20-canary.12...v13.4.20-canary.13 · vercel/next.js · GitHub	MISC	github.com
Add cache control header for prefetch empty responses by remorses · Pull Request #54732 · vercel/next.js · GitHub	MISC	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

995699 NodeJs (Npm) Security Update for next (GHSA-c59h-r6p8-q9wc)