CVE Tools
Sign in

CVE-2026-27977

Next.js: null origin can bypass dev HMR websocket CSRF checks

Published: Mar 17, 2026Updated: Mar 18, 2026 Sources: CVE List NVD GHSA BDUCWE-1385
NVD MITRE
5.4CVSSMEDIUM
EPSS Score
0.2%
Top 93.3%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:RS:UC:LI:LA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:RUser Interaction
Required
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:LIntegrity
Low
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-1385

Affected Products

next.jsvercel
LibraryLibrary
OSS Libraries / web-framework
nextnpmOSS Libraries
Next.jsVercel
LibraryLibrary
OSS Libraries / web-framework
vercelcommercialUSOSS Librariesaka vercel
npmpackage-ecosystemOSS Libraries

Exploitability

Official Patch Available

References

https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36
github.com
https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a
github.com
https://github.com/vercel/next.js/releases/tag/v16.1.7
github.com
and 2 more references View all →

Timeline

Published
Mar 17, 2026
Last Updated
Mar 18, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-27977 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows