Description
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy.
Published: 2026-03-17
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

Next.js opens a path for cross‑site request forgery on its development mode HMR websocket endpoint by treating an Origin header of "null" as a bypass, even if allowedDevOrigins is configured. The vulnerability causes an attacker to gain unchecked access to the hot‑module‑replacement channel, potentially exposing development data or disrupting the workflow. The weakness matches CWE‑1385 (Improper Validation of Data) and CWE‑346 (Improper Checking for Authorization). Based on the description, the likely attack vector is an attacker who can serve malicious content that can reach the dev server, such as via a local network or an exposed development port, and then initiate a websocket connection to the _next/webpack-hmr endpoint.

Affected Systems

It affects Vercel Next.js versions starting at 16.0.1 up to, but not including, 16.1.7. Versions before 16.0.1 lack the problematic check, while any instance lacking a configured allowedDevOrigins will accept connections from any origin, including those with a null origin.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and an EPSS score of less than 1% shows a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the development server to be reachable from attacker‑controlled content, so the risk remains low unless the dev environment is exposed to untrusted networks. If exposed, an attacker can exploit the flaw by loading malicious content that issues a websocket request to /_next/webpack-hmr, bypassing the intended origin checks.

Generated by OpenCVE AI on March 19, 2026 at 01:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vercel:next.js to version 16.1.7 or later.
  • If an upgrade is not immediately possible, ensure that the "next dev" server is not exposed to untrusted networks.
  • Configure your reverse proxy or firewall to block websocket upgrade requests to "/_next/webpack-hmr" when the Origin header is "null".

Generated by OpenCVE AI on March 19, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jcc7-9wpm-mj36 Next.js: null origin can bypass dev HMR websocket CSRF checks
History

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 18 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 18 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrade is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy. Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy.

Wed, 18 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrade is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy.
Title Next.js: null origin can bypass dev HMR websocket CSRF checks
Weaknesses CWE-1385
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T19:56:16.843Z

Reserved: 2026-02-25T03:24:57.793Z

Link: CVE-2026-27977

cve-icon Vulnrichment

Updated: 2026-03-18T19:56:13.510Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T00:16:19.947

Modified: 2026-03-18T20:08:59.887

Link: CVE-2026-27977

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-17T23:56:24Z

Links: CVE-2026-27977 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:15Z

Weaknesses