Description
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.
Published: 2026-03-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery via null origin bypass
Action: Patch
AI Analysis

Impact

In Next.js, when an HTTP request’s origin header is set to the string "null" it is currently treated as if no origin were supplied during Server Action CSRF validation. This logic flaw means that requests originating from opaque contexts—such as sandboxed iframes or other contexts that set the origin to "null"—are effectively allowed through the CSRF check. An attacker can exploit this behavior by causing a victim’s browser to load a malicious resource that sends a Server Action request with an origin of "null". Because the request is not rejected, the action can be executed with the victim’s credentials, resulting in unauthorized state change. The affected weakness is a missing origin check (CWE‑346) and a classic Cross‑Site Request Forgery vulnerability (CWE‑352).

Affected Systems

The vulnerability affects the Vercel Next.js framework. All releases in the 16.x series from version 16.0.1 up through 16.1.6 are affected. The specific product identifier is cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS is recorded as less than 1%, implying a low projected exploitation likelihood under current threat intelligence. This issue is not listed in the CISA KEV catalog. The attack vector is client‑side: an attacker must embed a malicious iframe or otherwise force a victim’s browser to issue a Server Action with an origin of "null". Exploitation requires that the target application enables Server Actions and that a user who is authenticated visits or views the malicious content. If an application has elevated privileges tied to these actions, the misuse can lead to unauthorized data modification. Given the requirements, the immediate threat is moderate but mitigatable by applying the vendor patch or recommended workarounds.

Generated by OpenCVE AI on March 19, 2026 at 02:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next.js to version 16.1.7 or later to enforce explicit origin validation
  • Configure experimental.serverActions.allowedOrigins to permit "null" only if explicitly required and correctly filter such requests
  • Add CSRF tokens to all sensitive Server Actions
  • Prefer SameSite=Strict on authentication cookies to reduce browser‑side attack surface

Generated by OpenCVE AI on March 19, 2026 at 02:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mq59-m269-xvcx Next.js: null origin can bypass Server Actions CSRF checks
History

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 18 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrade is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected. Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.

Wed, 18 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrade is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.
Title Next.js: null origin can bypass Server Actions CSRF checks
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T19:48:04.820Z

Reserved: 2026-02-25T03:24:57.793Z

Link: CVE-2026-27978

cve-icon Vulnrichment

Updated: 2026-03-18T19:48:00.450Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T00:16:20.117

Modified: 2026-03-18T20:05:48.490

Link: CVE-2026-27978

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-17T23:59:22Z

Links: CVE-2026-27978 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:14Z

Weaknesses