[czk]

Also worth noting that this commit in Dec 2024 previously added a bunch of internal headers (aside from this one) to a restricted external access list (one of them was vulnerable to SSRF) and there was never a CVE for it.

https://github.com/vercel/next.js/pull/73482/files

Source: https://news.ycombinator.com/item?id=43449986