Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-46298: Missing cache control directive for server side props response when using middleware and prefetch · Issue #45301 · vercel/next.js

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.

CVE
#google#dos#nodejs#js#git#chrome

Verify canary release

  • I verified that the issue exists in the latest Next.js canary release

Provide environment information

Operating System:
  Platform: darwin
  Arch: arm64
  Version: Darwin Kernel Version 22.2.0: Fri Nov 11 02:03:51 PST 2022; root:xnu-8792.61.2~4/RELEASE_ARM64_T6000
Binaries:
  Node: 16.19.0
  npm: 9.4.0
  Yarn: 1.22.19
  pnpm: 7.26.0
Relevant packages:
  next: 13.1.6-canary.1
  eslint-config-next: 13.1.5
  react: 18.2.0
  react-dom: 18.2.0

Which area(s) of Next.js are affected? (leave empty if unsure)

Data fetching (gS(S)P, getInitialProps)

Link to the code that reproduces this issue

https://github.com/muntamala/nextjs-no-cache-issue

To Reproduce

Run the server in production mode

yarn
yarn build
yarn start

and navigate to http://localhost:3000/. Observer the network for example with chrome developer tools. When loading the
static home page the app also prefetches the ssr pages json. What the response for the SSR page json is missing is
cache-control no-cache directive. Navigating to the ssr page results in the ssr pages json being re-fetched and this time
it does include the no-cache directive but if there would be a caching element in between like a CDN then we would not hit
the actual api until the empty cached response expires.

Describe the Bug

Prefetch of data for SSR pages returning empty object without a cache-control header having no-cache directive. This can potentially cause issues with CDNs as it did in our case. For example CloudFront having a default TTL value of higher than 0, which by default is 24h, would result in the CDN caching the empty response. The empty cached response would then be served by the CDN when user navigates to the SSR page and the page tries to fetch server side props using the same URL (…/ssr.json)

The enabler for this behaviour seems to be using a middleware. If a middleware (middleware.ts) is present then the
prefetch for pages is done separately for each page whose path is present on the page via Link component (prefetch true).

Expected Behavior

I’d expect next.js to behave sensibly in terms of cache control and set no-cache directive for getServerSideProps as
stated in next.js documentation:

If the page uses getServerSideProps or getInitialProps, it will use the default Cache-Control header set by next start
in order to prevent accidental caching of responses that cannot be cached. If you want a different cache behavior while 
using getServerSideProps, use res.setHeader('Cache-Control', 'value_you_prefer') inside of the function as shown above.

Which browser are you using? (if relevant)

Google Chrome 109.0.5414.119 (Official Build) (arm64)

How are you deploying your application? (if relevant)

yarn build, yarn start

Related news

GHSA-c59h-r6p8-q9wc: Next.js missing cache-control header may lead to CDN caching empty reply

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907