CVE-2026-27977

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-27977
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a Patch
https://github.com/vercel/next.js/releases/tag/v16.1.7 Release Notes
https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36 Vendor Advisory Mitigation
Configurations

Configuration 1 (hide)

cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
History

18 Mar 2026, 20:08

Type Values Removed Values Added
First Time Vercel next.js
Vercel
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.4
CPE cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
References () https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a - () https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a - Patch
References () https://github.com/vercel/next.js/releases/tag/v16.1.7 - () https://github.com/vercel/next.js/releases/tag/v16.1.7 - Release Notes
References () https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36 - () https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36 - Vendor Advisory, Mitigation

18 Mar 2026, 14:52

Type Values Removed Values Added
Summary
  • (es) Next.js es un framework de React para construir aplicaciones web full-stack. A partir de la versión 16.0.1 y antes de la versión 16.1.7, en 'next dev', la protección entre sitios para los endpoints internos de websocket podría tratar 'Origin: null' como un caso de omisión incluso si allowedDevOrigins está configurado, permitiendo que contextos sensibles a la privacidad/opacos (por ejemplo, documentos en sandbox) se conecten inesperadamente. Si un servidor de desarrollo es accesible desde contenido controlado por el atacante, un atacante podría conectarse al canal de websocket HMR e interactuar con el tráfico de websocket de desarrollo. Esto afecta solo al modo de desarrollo. Las aplicaciones sin un allowedDevOrigins configurado aún permiten conexiones desde cualquier origen. El problema se soluciona en la versión 16.1.7 validando 'Origin: null' a través de las mismas comprobaciones de permiso de origen entre sitios utilizadas para otros orígenes. Si la actualización no es posible de inmediato, no exponga 'next dev' a redes no confiables y/o bloquee las actualizaciones de websocket a /_next/webpack-hmr cuando 'Origin' sea 'null' en el proxy.

18 Mar 2026, 01:16

Type Values Removed Values Added
Summary (en) Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrade is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy. (en) Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy.

18 Mar 2026, 00:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-18 00:16

Updated : 2026-03-18 20:08

NVD link : CVE-2026-27977

Mitre link : CVE-2026-27977

CVE.ORG link : CVE-2026-27977

JSON object : View

Products Affected

vercel

  • next.js
CWE
CWE-1385

Missing Origin Validation in WebSockets