Description
Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in an upstream library vendored by Next.js. It is fixed in Next.js 15.5.13 and 16.1.7 by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. If upgrading is not immediately possible, block chunked `DELETE`/`OPTIONS` requests on rewritten routes at the edge/proxy, and/or enforce authentication/authorization on backend routes.
Published: 2026-03-18
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: HTTP Request Smuggling
Action: Immediate Patch
AI Analysis

Impact

A crafted DELETE or OPTIONS request that uses Transfer-Encoding: chunked can cause a request boundary disagreement between a Next.js rewrite proxy and its intended backend. This discrepancy allows an attacker to smuggle a second HTTP request into an unintended backend route, potentially reaching internal or administrative endpoints that the application assumes are protected. The vulnerability is classified as HTTP Request Smuggling (CWE-444) and can undermine the confidentiality, integrity, and availability of the backend when misconfigured rewrite paths are used.

Affected Systems

The affected product is vercel:next.js. Any installation from version 9.5.0 up through before 15.5.13 and 16.1.7 is vulnerable. Applications hosted on providers that perform rewrites at the CDN edge, such as Vercel’s own hosting, are not impacted because the rewrite is handled outside the vulnerable component.

Risk and Exploitability

The CVSS score is 6.3, indicating a moderate severity, while the EPSS score is less than 1%, suggesting low current exploitation activity. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to send a specially crafted DELETE/OPTIONS request with a chunked transfer encoding to a rewritten route. The exploitation path is limited to environments where the Next.js rewriting functionality is enabled and does not rely on external CDN rewrites.

Generated by OpenCVE AI on March 18, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an official patch by upgrading Next.js to version 15.5.13 or later, or to version 16.1.7 or later.
  • If an immediate upgrade is not possible, block chunked DELETE/OPTIONS requests on rewritten routes at your edge or proxy layer.
  • Enforce strict authentication and authorization on all backend routes that could be accessed via rewrites.

Generated by OpenCVE AI on March 18, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ggv3-7p47-pfv8 Next.js: HTTP request smuggling in rewrites
History

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 18 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Wed, 18 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 18 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in an upstream library vendored by Next.js. It is fixed in Next.js 15.5.13 and 16.1.7 by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. If upgrading is not immediately possible, block chunked `DELETE`/`OPTIONS` requests on rewritten routes at the edge/proxy, and/or enforce authentication/authorization on backend routes.
Title Next.js: HTTP request smuggling in rewrites
Weaknesses CWE-444
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T14:47:25.258Z

Reserved: 2026-03-03T17:50:11.244Z

Link: CVE-2026-29057

cve-icon Vulnrichment

Updated: 2026-03-18T14:47:18.781Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T01:16:05.443

Modified: 2026-03-18T19:49:19.633

Link: CVE-2026-29057

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:30:27Z

Links: CVE-2026-29057 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:53:53Z

Weaknesses