CVE-2026-29057
Received Received - Intake
Request Smuggling in Next.js Proxy Rewrites Allows Backend Access

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in an upstream library vendored by Next.js. It is fixed in Next.js 15.5.13 and 16.1.7 by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. If upgrading is not immediately possible, block chunked `DELETE`/`OPTIONS` requests on rewritten routes at the edge/proxy, and/or enforce authentication/authorization on backend routes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29057
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vercel next.js From 16.0.0 (inc) to 16.1.7 (exc)
vercel next.js From 9.5.0 (inc) to 15.5.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29057 is an HTTP request smuggling vulnerability in the Next.js framework, specifically in its proxying of rewritten routes to external backends. When a crafted DELETE or OPTIONS HTTP request with a Transfer-Encoding: chunked header is sent, it causes a disagreement in how the proxy and backend server interpret the request boundaries. This allows an attacker to smuggle a second unauthorized HTTP request to unintended backend routes, such as internal or administrative endpoints, bypassing the intended rewrite restrictions.

The root cause is improper handling of Content-Length and Transfer-Encoding headers in an upstream library used by Next.js. The vulnerability is fixed by updating this dependency to add Content-Length: 0 only when both Content-Length and Transfer-Encoding headers are absent, and by no longer removing the Transfer-Encoding header improperly.

If upgrading is not immediately possible, mitigations include blocking chunked DELETE and OPTIONS requests on rewritten routes at the edge or proxy level and enforcing strict authentication and authorization on backend routes.

Impact Analysis

This vulnerability can allow an attacker to smuggle additional HTTP requests through the Next.js proxy to backend routes that should not be accessible, such as internal or administrative endpoints. This bypasses the security assumptions that only the configured rewrite destination/path is reachable.

As a result, unauthorized requests could be executed on backend services, potentially leading to unauthorized access, manipulation of backend functionality, or exposure of sensitive internal endpoints.

However, applications hosted on providers that handle rewrites at the CDN level, such as Vercel, are not impacted by this vulnerability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying crafted HTTP DELETE or OPTIONS requests using the Transfer-Encoding: chunked header that could cause request boundary disagreements between the proxy and backend.'}, {'type': 'paragraph', 'content': 'Testing setups simulate an intermediary proxy and backend server where crafted HTTP payloads attempt to smuggle a second request (e.g., GET /secret) after a legitimate request (DELETE /rewrites/poc or OPTIONS /rewrites/poc) using chunked transfer encoding and various Connection header values.'}, {'type': 'paragraph', 'content': "To detect potential exploitation, monitor HTTP traffic for unusual or unexpected chunked DELETE or OPTIONS requests on rewritten routes, especially those with suspicious Connection headers such as 'keep-alive', 'keep-alive, upgrade', or 'Transfer-Encoding, upgrade'."}, {'type': 'paragraph', 'content': 'While specific commands are not provided in the resources, network administrators can use tools like tcpdump or Wireshark to capture and analyze HTTP requests for these patterns, or use curl or similar HTTP clients to manually test endpoints with crafted requests.'}] [1, 3]

Mitigation Strategies

The primary mitigation is to upgrade Next.js to version 15.5.13 or later, where the vulnerability is fixed by patching the http-proxy component to correctly handle Transfer-Encoding and Content-Length headers.

If upgrading immediately is not possible, block chunked DELETE and OPTIONS requests on rewritten routes at the edge or proxy level to prevent request smuggling.

Additionally, enforce strict authentication and authorization on backend routes to reduce the risk of unauthorized access via smuggled requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29057. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart