By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2023-46298

Denial of Service
Affects
Next.js
in
Next.js
No items found.
Versions
>=13.0.0 <13.4.20-canary.13
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

‍Overview

Next.js is a popular open-source React framework that simplifies the development of server-rendered, static, and dynamic web applications by providing built-in features like routing, code splitting, and API routes. 

Some versions of Next.js are missing a cache-control header when a pre-fetch returns an empty result. If a CDN caches the empty result and an attacker generates many empty results, users may experience a denial of service.

A Denial of Service (DoS) attack, as outlined by OWASP, is focused on making a resource (site, application, or server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.

Details

Module Info

  • Product: Next.js
  • Affected packages: Next.js
  • Affected versions: >=13.0.0, <13.4.20-canary.13
  • GitHub Repo: https://github.com/vercel/next.js
  • Published packages: Next.js
  • Package manager: npm
  • Fixed in: 13.4.20-canary.13

Vulnerability Info

This medium-severity vulnerability is found in the Next.js in versions equal to or greater than 13.0.0 and less than 13.4.20-canary.13.

Addressing the Issue

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a secure version of the software.
  • Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this software.

Credit(s)

  • Not disclosed.
Pink arrow
Pink arrow
CVE-2024-47831
CVE-2024-51479
CVE-2025-29927
CVE-2023-46298
CVE-2025-32421
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2023-46298
PROJECT Affected
Next.js
Versions Affected
>=13.0.0 <13.4.20-canary.13
Published date
April 9, 2025
≈ Fix date
December 21, 2023
Fixed in
NES for Next.js
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
NES for Next.js
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.