Can you explain this vulnerability to me?

CVE-2026-29057 is an HTTP request smuggling vulnerability in the Next.js framework, specifically in its proxying of rewritten routes to external backends. When a crafted DELETE or OPTIONS HTTP request with a Transfer-Encoding: chunked header is sent, it causes a disagreement in how the proxy and backend server interpret the request boundaries. This allows an attacker to smuggle a second unauthorized HTTP request to unintended backend routes, such as internal or administrative endpoints, bypassing the intended rewrite restrictions.

The root cause is improper handling of Content-Length and Transfer-Encoding headers in an upstream library used by Next.js. The vulnerability is fixed by updating this dependency to add Content-Length: 0 only when both Content-Length and Transfer-Encoding headers are absent, and by no longer removing the Transfer-Encoding header improperly.

If upgrading is not immediately possible, mitigations include blocking chunked DELETE and OPTIONS requests on rewritten routes at the edge or proxy level and enforcing strict authentication and authorization on backend routes.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow an attacker to smuggle additional HTTP requests through the Next.js proxy to backend routes that should not be accessible, such as internal or administrative endpoints. This bypasses the security assumptions that only the configured rewrite destination/path is reachable.

As a result, unauthorized requests could be executed on backend services, potentially leading to unauthorized access, manipulation of backend functionality, or exposure of sensitive internal endpoints.

However, applications hosted on providers that handle rewrites at the CDN level, such as Vercel, are not impacted by this vulnerability.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying crafted HTTP DELETE or OPTIONS requests using the Transfer-Encoding: chunked header that could cause request boundary disagreements between the proxy and backend.'}, {'type': 'paragraph', 'content': 'Testing setups simulate an intermediary proxy and backend server where crafted HTTP payloads attempt to smuggle a second request (e.g., GET /secret) after a legitimate request (DELETE /rewrites/poc or OPTIONS /rewrites/poc) using chunked transfer encoding and various Connection header values.'}, {'type': 'paragraph', 'content': "To detect potential exploitation, monitor HTTP traffic for unusual or unexpected chunked DELETE or OPTIONS requests on rewritten routes, especially those with suspicious Connection headers such as 'keep-alive', 'keep-alive, upgrade', or 'Transfer-Encoding, upgrade'."}, {'type': 'paragraph', 'content': 'While specific commands are not provided in the resources, network administrators can use tools like tcpdump or Wireshark to capture and analyze HTTP requests for these patterns, or use curl or similar HTTP clients to manually test endpoints with crafted requests.'}] [1, 3]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade Next.js to version 15.5.13 or later, where the vulnerability is fixed by patching the http-proxy component to correctly handle Transfer-Encoding and Content-Length headers.

If upgrading immediately is not possible, block chunked DELETE and OPTIONS requests on rewritten routes at the edge or proxy level to prevent request smuggling.

Additionally, enforce strict authentication and authorization on backend routes to reduce the risk of unauthorized access via smuggled requests.

Useful 0 Not Useful 0