Overview
Next.js is a popular open-source React framework that simplifies the development of server-rendered, static, and dynamic web applications by providing built-in features like routing, code splitting, and API routes.
Some versions of Next.js are missing a cache-control header when a pre-fetch returns an empty result. If a CDN caches the empty result and an attacker generates many empty results, users may experience a denial of service.
A Denial of Service (DoS) attack, as outlined by OWASP, is focused on making a resource (site, application, or server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.
Details
Module Info
Product: Next.js
Affected packages: Next.js
Affected versions: >=13.0.0, <13.4.20-canary.13
GitHub Repo: https://github.com/vercel/next.js
Published packages: Next.js
Package manager: npm
Fixed in: 13.4.20-canary.13
Vulnerability Info
This medium-severity vulnerability is found in the Next.js in versions equal to or greater than 13.0.0 and less than 13.4.20-canary.13.
Addressing the Issue
Users of the affected components should apply one of the following mitigations:
- Upgrade to a secure version of the software.
- Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this software.
Credit(s)
- Not disclosed.