CVE-2023-46298: Next.js missing cache-control header may lead to CDN caching empty reply
(updated )
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.
References
- github.com/advisories/GHSA-c59h-r6p8-q9wc
- github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648
- github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13
- github.com/vercel/next.js/issues/45301
- github.com/vercel/next.js/pull/54732
- nvd.nist.gov/vuln/detail/CVE-2023-46298
Detect and mitigate CVE-2023-46298 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →