By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2023-46298

Denial of Service

Affects

Next.js

<13.4.20-canary.13

Next.js

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

‍Overview

Next.js is a popular open-source React framework that simplifies the development of server-rendered, static, and dynamic web applications by providing built-in features like routing, code splitting, and API routes.

Some versions of Next.js are missing a cache-control header when a pre-fetch returns an empty result. If a CDN caches the empty result and an attacker generates many empty results, users may experience a denial of service.

A Denial of Service (DoS) attack, as outlined by OWASP, is focused on making a resource (site, application, or server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.

‍

Details

Module Info

Product: Next.js

Affected packages: Next.js

Affected versions: <13.4.20-canary.13

GitHub Repo: https://github.com/vercel/next.js/pull/54732/commits/f5cce3902e08c09e1fa7d4dd3cbc6b9287789a31

Published packages: Next.js

Package manager: npm

‍

Vulnerability Info

This medium-severity vulnerability is found in the Next.js in versions lower than 13.4.20-canary.13.

‍

Steps To Reproduce

Set up a Next.js environment that is vulnerable to this exploit, such as version 13.4.19 or earlier.
Set up a local proxy or use a service like ngrok to simulate CDN behavior with caching enabled. Alternatively, configure a simple caching server using tools like Varnish or Squid.
Create a basic Next.js app with prefetching enabled.
Edit pages/index.js to include a prefetchable link:

import Link from 'next/link';

export default function Home() {
  return (
    <div>
      <h1>Home Page</h1>
      <Link href="/test" prefetch>
        Go to Test Page
      </Link>
    </div>
  );
}

‍

Create pages/test.js:

export default function Test() {
  return <h1>Test Page</h1>;
}

‍

Build and run the app:

npm run build && npm run start

‍

The app should now be running on http://localhost:3000.
‍

Use a tool like ngrok to expose your local server:

ngrok http 3000

‍

Trigger a prefetch by opening a browser and navigating to the ngrok URL (e.g., https://your-ngrok-id.ngrok.io).
Hover over or visit the /test link to trigger Next.js's prefetch mechanism. This sends a request to /_next/data/.../test.json, which is used for client-side navigation.

‍

Addressing the Issue

Users of the affected components should apply one of the following mitigations:

Upgrade to a secure version of the software.
Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this software.

‍