CVE-2026-27977
Received Received - Intake
Cross-Site WebSocket Origin Bypass in Next.js Dev Server

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27977
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vercel next.js From 16.0.1 (inc) to 16.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1385 The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27977 is a low-severity vulnerability in the Next.js framework affecting development mode versions from 16.0.1 up to but not including 16.1.7. The issue arises because the development server's internal Hot Module Replacement (HMR) WebSocket endpoint improperly treats the HTTP header 'Origin: null' as a bypass, even when a configuration called 'allowedDevOrigins' is set. This means that privacy-sensitive or opaque contexts, such as sandboxed documents, can unexpectedly connect to the development WebSocket channel."}, {'type': 'paragraph', 'content': "This vulnerability allows an attacker who can reach the development server from attacker-controlled content to connect to the HMR WebSocket channel and interact with development WebSocket traffic. The problem is limited to development mode only and does not affect production builds. The issue was fixed in version 16.1.7 by validating 'Origin: null' through the same cross-site origin allowance checks used for other origins."}] [3, 2, 1]

Impact Analysis

[{'type': 'paragraph', 'content': 'If your Next.js development server is reachable from attacker-controlled content, an attacker may exploit this vulnerability to connect to the Hot Module Replacement (HMR) WebSocket channel during development. This could allow the attacker to interact with development WebSocket traffic, potentially exposing sensitive information or interfering with the development process.'}, {'type': 'paragraph', 'content': "The impact is limited to development mode and does not affect production environments. However, if the 'allowedDevOrigins' configuration is not set, connections from any origin are allowed, increasing the risk."}, {'type': 'paragraph', 'content': "To mitigate the risk before upgrading, it is recommended not to expose the Next.js development server to untrusted networks and/or to block WebSocket upgrade requests to '/_next/webpack-hmr' when the 'Origin' header is 'null' at the proxy level."}] [3, 1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized WebSocket connections to the Next.js development server's Hot Module Replacement (HMR) endpoint when the Origin header is 'null'. To detect it, monitor WebSocket upgrade requests to the path '/_next/webpack-hmr' and check for requests where the Origin header is 'null' or unexpected."}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or proxy logs to identify such WebSocket upgrade attempts. For example, using tcpdump or tshark to filter WebSocket upgrade requests with Origin: null headers might help.'}, {'type': 'list_item', 'content': 'Use tcpdump or tshark to capture WebSocket upgrade requests to the development server on the relevant port (usually 3000):'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A 'tcp port 3000 and (((tcp[32:4] = 0x47455420) or (tcp[32:4] = 0x50554f53)))' | grep 'Origin: null'"}, {'type': 'list_item', 'content': "Alternatively, inspect proxy or web server logs for WebSocket upgrade requests to '/_next/webpack-hmr' with Origin headers set to 'null'."}, {'type': 'paragraph', 'content': 'Note that this vulnerability only affects development mode and the dev server must be reachable from attacker-controlled content for exploitation.'}] [2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': "The primary mitigation is to upgrade Next.js to version 16.1.7 or later, where the vulnerability is fixed by properly validating 'Origin: null' headers on WebSocket connections."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, the following steps should be taken:'}, {'type': 'list_item', 'content': "Do not expose the Next.js development server ('next dev') to untrusted networks."}, {'type': 'list_item', 'content': "Block WebSocket upgrade requests to the '/_next/webpack-hmr' endpoint when the Origin header is 'null' at the proxy or firewall level."}, {'type': 'paragraph', 'content': 'These mitigations help prevent unauthorized cross-site WebSocket connections during development, reducing the risk of privacy-sensitive information exposure or interference with development traffic.'}] [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27977. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart