CVE-2023-46298 — Next.js missing cache-control header may lead to CDN caching empty reply

Description

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

How to fix CVE-2023-46298

To remediate CVE-2023-46298, upgrade the affected package to a fixed version below.

npm/next—upgrade to 13.4.20-canary.13 or later

Is CVE-2023-46298 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 0.9.9, < 13.4.20-canary.13

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-46298
PATCHgithub.com/vercel/next.js
WEBgithub.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648
WEBgithub.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13