VYPR
← All advisories
Low severityNVD Advisory· Published Oct 22, 2023· Updated Sep 12, 2024

CVE-2023-46298

CVE-2023-46298

Description

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Next.js before 13.4.20-canary.13 lacks Cache-Control header on empty prefetch responses, allowing CDN caching that can cause denial of service for all users of the same URL.

Vulnerability

Next.js versions prior to 13.4.20-canary.13 do not set a Cache-Control header on empty prefetch responses returned by the framework. These empty responses are used during client-side navigation via `` prefetching to reduce latency. Without explicit cache directives, CDNs and intermediate proxies may cache these empty responses [1][2].

Exploitation

An attacker does not need authentication or special network position; any user navigating a Next.js application that prefetches pages can trigger the issue. When a CDN caches the empty response, subsequent users requesting the same URL receive the cached empty result instead of the actual page data [4]. This affects applications deployed behind a CDN with default caching behavior, such as CloudFront (which can have default TTL of 24 hours) [4].

Impact

The primary impact is a denial of service: legitimate users are served empty prefetch responses, causing pages to appear blank or to fail to load content. The attack affects all users of the same URL via the CDN, potentially causing widespread service disruption. The vulnerability does not result in data exposure or code execution [2].

Mitigation

The issue is fixed in Next.js version 13.4.20-canary.13 and later [3]. The fix adds an explicit Cache-Control header (e.g., private, no-cache, no-store, max-age=0, must-revalidate) to empty prefetch responses, preventing CDN caching [1]. Users should upgrade to a patched version or apply a CDN configuration to override caching of prefetch requests.

References
  1. Add cache control header for prefetch empty responses by remorses · Pull Request #54732 · vercel/next.js
  2. NVD - CVE-2023-46298
  3. Comparing v13.4.20-canary.12...v13.4.20-canary.13 · vercel/next.js
  4. Missing cache control directive for server side props response when using middleware and prefetch

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nextnpm
>= 0.9.9, < 13.4.20-canary.1313.4.20-canary.13

Affected products

2
  • Next.js/Next.jsdescription
  • ghsa-coords
    pkg:npm/next
    Range: >= 0.9.9, < 13.4.20-canary.13

Patches

1
20d05958ff85

Add cache control header for prefetch empty responses (#54732)

https://github.com/vercel/next.jsTommaso De RossiAug 29, 2023via ghsa
commit
1 file changed · +4 0
  • packages/next/src/server/base-server.ts+4 0 modified
    @@ -1614,6 +1614,10 @@ export default abstract class Server<ServerOptions extends Options = Options> {
       !(is404Page || pathname === '/_error')
     ) {
       res.setHeader('x-middleware-skip', '1')
+      res.setHeader(
+        'cache-control',
+        'private, no-cache, no-store, max-age=0, must-revalidate'
+      )
       res.body('{}').send()
       return null
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.