CVE-2026-27977

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a	Patch
https://github.com/vercel/next.js/releases/tag/v16.1.7	Release Notes
https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36	Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-03-18 00:16

Updated : 2026-03-18 20:08

NVD link : CVE-2026-27977

Mitre link : CVE-2026-27977

CVE.ORG link : CVE-2026-27977

JSON object : View

Products Affected

vercel

next.js

CWE

CWE-1385

Missing Origin Validation in WebSockets

{"id": "CVE-2026-27977", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-18T00:16:19.947", "references": [{"url": "https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36", "tags": ["Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1385"}]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy."}, {"lang": "es", "value": "Next.js es un framework de React para construir aplicaciones web full-stack. A partir de la versi\u00f3n 16.0.1 y antes de la versi\u00f3n 16.1.7, en 'next dev', la protecci\u00f3n entre sitios para los endpoints internos de websocket podr\u00eda tratar 'Origin: null' como un caso de omisi\u00f3n incluso si allowedDevOrigins est\u00e1 configurado, permitiendo que contextos sensibles a la privacidad/opacos (por ejemplo, documentos en sandbox) se conecten inesperadamente. Si un servidor de desarrollo es accesible desde contenido controlado por el atacante, un atacante podr\u00eda conectarse al canal de websocket HMR e interactuar con el tr\u00e1fico de websocket de desarrollo. Esto afecta solo al modo de desarrollo. Las aplicaciones sin un allowedDevOrigins configurado a\u00fan permiten conexiones desde cualquier origen. El problema se soluciona en la versi\u00f3n 16.1.7 validando 'Origin: null' a trav\u00e9s de las mismas comprobaciones de permiso de origen entre sitios utilizadas para otros or\u00edgenes. Si la actualizaci\u00f3n no es posible de inmediato, no exponga 'next dev' a redes no confiables y/o bloquee las actualizaciones de websocket a /_next/webpack-hmr cuando 'Origin' sea 'null' en el proxy."}], "lastModified": "2026-03-18T20:08:59.887", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B6AA61BB-C5CD-4725-9A02-BEFA55D52351", "versionEndExcluding": "16.1.7", "versionStartIncluding": "16.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}