Headline
CVE-2023-46298: Missing cache control directive for server side props response when using middleware and prefetch · Issue #45301 · vercel/next.js
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.
Verify canary release
- I verified that the issue exists in the latest Next.js canary release
Provide environment information
Operating System:
Platform: darwin
Arch: arm64
Version: Darwin Kernel Version 22.2.0: Fri Nov 11 02:03:51 PST 2022; root:xnu-8792.61.2~4/RELEASE_ARM64_T6000
Binaries:
Node: 16.19.0
npm: 9.4.0
Yarn: 1.22.19
pnpm: 7.26.0
Relevant packages:
next: 13.1.6-canary.1
eslint-config-next: 13.1.5
react: 18.2.0
react-dom: 18.2.0
Which area(s) of Next.js are affected? (leave empty if unsure)
Data fetching (gS(S)P, getInitialProps)
Link to the code that reproduces this issue
https://github.com/muntamala/nextjs-no-cache-issue
To Reproduce
Run the server in production mode
yarn
yarn build
yarn start
and navigate to http://localhost:3000/. Observer the network for example with chrome developer tools. When loading the
static home page the app also prefetches the ssr pages json. What the response for the SSR page json is missing is
cache-control no-cache directive. Navigating to the ssr page results in the ssr pages json being re-fetched and this time
it does include the no-cache directive but if there would be a caching element in between like a CDN then we would not hit
the actual api until the empty cached response expires.
Describe the Bug
Prefetch of data for SSR pages returning empty object without a cache-control header having no-cache directive. This can potentially cause issues with CDNs as it did in our case. For example CloudFront having a default TTL value of higher than 0, which by default is 24h, would result in the CDN caching the empty response. The empty cached response would then be served by the CDN when user navigates to the SSR page and the page tries to fetch server side props using the same URL (…/ssr.json)
The enabler for this behaviour seems to be using a middleware. If a middleware (middleware.ts) is present then the
prefetch for pages is done separately for each page whose path is present on the page via Link component (prefetch true).
Expected Behavior
I’d expect next.js to behave sensibly in terms of cache control and set no-cache directive for getServerSideProps as
stated in next.js documentation:
If the page uses getServerSideProps or getInitialProps, it will use the default Cache-Control header set by next start
in order to prevent accidental caching of responses that cannot be cached. If you want a different cache behavior while
using getServerSideProps, use res.setHeader('Cache-Control', 'value_you_prefer') inside of the function as shown above.
Which browser are you using? (if relevant)
Google Chrome 109.0.5414.119 (Official Build) (arm64)
How are you deploying your application? (if relevant)
yarn build, yarn start
Related news
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.