[FALSE-POSITIVE] Next.js - Cache Poisoning - Headers (2) #12000
Description
Template IDs or paths
- http/vulnerabilities/nextjs/next-js-cache-poisoning.yaml
- http/vulnerabilities/nextjs/nextjs-middleware-cache.yamlEnvironment
Not relevantSteps To Reproduce
Run nuclei -t http/vulnerabilities/nextjs/nextjs-middleware-cache.yaml,http/vulnerabilities/nextjs/next-js-cache-poisoning.yaml -u <WEBAPP>
Relevant dumped responses
GET /?cb=39742 HTTP/1.1
Host: <WEBAPP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
Connection: close
Accept-Encoding: gzip
------------------------------------------------
HTTP/1.1 200 OK
Connection: close
Content-Length: 2
Cache-Control: max-age=0, no-cache, no-store
Date: Tue, 15 Apr 2025 09:02:46 GMT
Expires: Tue, 15 Apr 2025 09:02:46 GMT
Pragma: no-cache
Server-Timing: cdn-cache; desc=HIT
Server-Timing: edge; dur=1
Server-Timing: ak_p; desc="1744707766444_388045968_1093107033_19_32856_10_26_-";dur=1
Strict-Transport-Security: max-age=15552000; includeSubDomains;
X-Content-Type-Options: nosniff
X-Matched-Path: /
X-Middleware-Skip: 1
{}Anything else?
The issue was reported by nuclei even though the webapp isn't vulnerable.
According to the the reference in both templates (link) "Since version 13.4.20-canary.13, Next.js has added cache-control to SSR responses to prevent them from being cached". As you can see in the dumped response above, the header cache-control was added and even Pargma: no-cache was added. None of them is checked for in the templates.
It was already resolved for a third template here. I guess solving it for these two should be easy.
Maybe you should consider merging the 3 templates into one, but I haven't tried to figure out the differences between them.