CVE-2023-46298

Denial of Service
Affects
Next.js
>=13.0.0 <13.4.20-canary.13
in
Next.js
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

‍Overview

Next.js is a popular open-source React framework that simplifies the development of server-rendered, static, and dynamic web applications by providing built-in features like routing, code splitting, and API routes. 

Some versions of Next.js are missing a cache-control header when a pre-fetch returns an empty result. If a CDN caches the empty result and an attacker generates many empty results, users may experience a denial of service.

A Denial of Service (DoS) attack, as outlined by OWASP, is focused on making a resource (site, application, or server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.

Details

Module Info

Product: Next.js

Affected packages: Next.js

Affected versions: >=13.0.0, <13.4.20-canary.13

GitHub Repo: https://github.com/vercel/next.js

Published packages: Next.js

Package manager: npm

Fixed in: 13.4.20-canary.13

Vulnerability Info

This medium-severity vulnerability is found in the Next.js in versions equal to or greater than 13.0.0 and less than 13.4.20-canary.13.

Addressing the Issue

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a secure version of the software.
  • Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this software.

Credit(s)

  • Not disclosed.

Vulnerability Details
ID
CVE-2023-46298
PROJECT Affected
Next.js
Versions Affected
>=13.0.0 <13.4.20-canary.13
Published date
April 9, 2025
≈ Fix date
December 21, 2023
Fixed in
Severity
High
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
Next.js NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.