CVE-2026-27977
Cross-Site WebSocket Origin Bypass in Next.js Dev Server
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vercel | next.js | From 16.0.1 (inc) to 16.1.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1385 | The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27977 is a low-severity vulnerability in the Next.js framework affecting development mode versions from 16.0.1 up to but not including 16.1.7. The issue arises because the development server's internal Hot Module Replacement (HMR) WebSocket endpoint improperly treats the HTTP header 'Origin: null' as a bypass, even when a configuration called 'allowedDevOrigins' is set. This means that privacy-sensitive or opaque contexts, such as sandboxed documents, can unexpectedly connect to the development WebSocket channel."}, {'type': 'paragraph', 'content': "This vulnerability allows an attacker who can reach the development server from attacker-controlled content to connect to the HMR WebSocket channel and interact with development WebSocket traffic. The problem is limited to development mode only and does not affect production builds. The issue was fixed in version 16.1.7 by validating 'Origin: null' through the same cross-site origin allowance checks used for other origins."}] [3, 2, 1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'If your Next.js development server is reachable from attacker-controlled content, an attacker may exploit this vulnerability to connect to the Hot Module Replacement (HMR) WebSocket channel during development. This could allow the attacker to interact with development WebSocket traffic, potentially exposing sensitive information or interfering with the development process.'}, {'type': 'paragraph', 'content': "The impact is limited to development mode and does not affect production environments. However, if the 'allowedDevOrigins' configuration is not set, connections from any origin are allowed, increasing the risk."}, {'type': 'paragraph', 'content': "To mitigate the risk before upgrading, it is recommended not to expose the Next.js development server to untrusted networks and/or to block WebSocket upgrade requests to '/_next/webpack-hmr' when the 'Origin' header is 'null' at the proxy level."}] [3, 1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized WebSocket connections to the Next.js development server's Hot Module Replacement (HMR) endpoint when the Origin header is 'null'. To detect it, monitor WebSocket upgrade requests to the path '/_next/webpack-hmr' and check for requests where the Origin header is 'null' or unexpected."}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or proxy logs to identify such WebSocket upgrade attempts. For example, using tcpdump or tshark to filter WebSocket upgrade requests with Origin: null headers might help.'}, {'type': 'list_item', 'content': 'Use tcpdump or tshark to capture WebSocket upgrade requests to the development server on the relevant port (usually 3000):'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A 'tcp port 3000 and (((tcp[32:4] = 0x47455420) or (tcp[32:4] = 0x50554f53)))' | grep 'Origin: null'"}, {'type': 'list_item', 'content': "Alternatively, inspect proxy or web server logs for WebSocket upgrade requests to '/_next/webpack-hmr' with Origin headers set to 'null'."}, {'type': 'paragraph', 'content': 'Note that this vulnerability only affects development mode and the dev server must be reachable from attacker-controlled content for exploitation.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The primary mitigation is to upgrade Next.js to version 16.1.7 or later, where the vulnerability is fixed by properly validating 'Origin: null' headers on WebSocket connections."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, the following steps should be taken:'}, {'type': 'list_item', 'content': "Do not expose the Next.js development server ('next dev') to untrusted networks."}, {'type': 'list_item', 'content': "Block WebSocket upgrade requests to the '/_next/webpack-hmr' endpoint when the Origin header is 'null' at the proxy or firewall level."}, {'type': 'paragraph', 'content': 'These mitigations help prevent unauthorized cross-site WebSocket connections during development, reducing the risk of privacy-sensitive information exposure or interference with development traffic.'}] [1, 3]