{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27977", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:24:57.793Z", "datePublished": "2026-03-17T23:56:24.631Z", "dateUpdated": "2026-03-18T19:56:16.843Z"}, "containers": {"cna": {"title": "Next.js: null origin can bypass dev HMR websocket CSRF checks", "problemTypes": [{"descriptions": [{"cweId": "CWE-1385", "lang": "en", "description": "CWE-1385: Missing Origin Validation in WebSockets", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36"}, {"name": "https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a", "tags": ["x_refsource_MISC"], "url": "https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a"}, {"name": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/vercel/next.js/releases/tag/v16.1.7"}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"version": ">= 16.0.1, < 16.1.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T00:23:47.523Z"}, "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy."}], "source": {"advisory": "GHSA-jcc7-9wpm-mj36", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T19:56:08.547586Z", "id": "CVE-2026-27977", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T19:56:16.843Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27977", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T19:56:08.547586Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T19:56:13.510Z"}}], "cna": {"title": "Next.js: null origin can bypass dev HMR websocket CSRF checks", "source": {"advisory": "GHSA-jcc7-9wpm-mj36", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"status": "affected", "version": ">= 16.0.1, < 16.1.7"}]}], "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36", "name": "https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a", "name": "https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "name": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1385", "description": "CWE-1385: Missing Origin Validation in WebSockets"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T00:23:47.523Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27977", "state": "PUBLISHED", "dateUpdated": "2026-03-18T19:56:16.843Z", "dateReserved": "2026-02-25T03:24:57.793Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-17T23:56:24.631Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B6AA61BB-C5CD-4725-9A02-BEFA55D52351", "versionEndExcluding": "16.1.7", "versionStartIncluding": "16.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy."}, {"lang": "es", "value": "Next.js es un framework de React para construir aplicaciones web full-stack. A partir de la versi\u00f3n 16.0.1 y antes de la versi\u00f3n 16.1.7, en 'next dev', la protecci\u00f3n entre sitios para los endpoints internos de websocket podr\u00eda tratar 'Origin: null' como un caso de omisi\u00f3n incluso si allowedDevOrigins est\u00e1 configurado, permitiendo que contextos sensibles a la privacidad/opacos (por ejemplo, documentos en sandbox) se conecten inesperadamente. Si un servidor de desarrollo es accesible desde contenido controlado por el atacante, un atacante podr\u00eda conectarse al canal de websocket HMR e interactuar con el tr\u00e1fico de websocket de desarrollo. Esto afecta solo al modo de desarrollo. Las aplicaciones sin un allowedDevOrigins configurado a\u00fan permiten conexiones desde cualquier origen. El problema se soluciona en la versi\u00f3n 16.1.7 validando 'Origin: null' a trav\u00e9s de las mismas comprobaciones de permiso de origen entre sitios utilizadas para otros or\u00edgenes. Si la actualizaci\u00f3n no es posible de inmediato, no exponga 'next dev' a redes no confiables y/o bloquee las actualizaciones de websocket a /_next/webpack-hmr cuando 'Origin' sea 'null' en el proxy."}], "id": "CVE-2026-27977", "lastModified": "2026-03-18T20:08:59.887", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T00:16:19.947", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/vercel/next.js/releases/tag/v16.1.7"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1385"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "next.js: Next.js: null origin can bypass dev HMR websocket CSRF checks", "id": "2448514", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448514"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-346", "details": ["A CSRF check bypass flaw has been discovered in Next.js. In the `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27977", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "dotnet7.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/rekor-search-ui-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Fix deferred", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Fix deferred", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-03-17T23:56:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27977\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27977\nhttps://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a\nhttps://github.com/vercel/next.js/releases/tag/v16.1.7\nhttps://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.1,16.1.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "next.js", "source": "cna", "vendor": "vercel"}, "product": "next.js", "vendor": "vercel"}], "analysis": {"en": {"generated_at": "2026-03-19T01:56:08.495278+00:00", "value": {"mitigation_remediation": ["Upgrade vercel:next.js to version 16.1.7 or later.", "If an upgrade is not immediately possible, ensure that the \"next dev\" server is not exposed to untrusted networks.", "Configure your reverse proxy or firewall to block websocket upgrade requests to \"/_next/webpack-hmr\" when the Origin header is \"null\"."], "summary": {"action": "Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "It affects Vercel Next.js versions starting at 16.0.1 up to, but not including, 16.1.7. Versions before 16.0.1 lack the problematic check, while any instance lacking a configured allowedDevOrigins will accept connections from any origin, including those with a null origin.", "description_and_impact": "Next.js opens a path for cross\u2011site request forgery on its development mode HMR websocket endpoint by treating an Origin header of \"null\" as a bypass, even if allowedDevOrigins is configured. The vulnerability causes an attacker to gain unchecked access to the hot\u2011module\u2011replacement channel, potentially exposing development data or disrupting the workflow. The weakness matches CWE\u20111385 (Improper Validation of Data) and CWE\u2011346 (Improper Checking for Authorization). Based on the description, the likely attack vector is an attacker who can serve malicious content that can reach the dev server, such as via a local network or an exposed development port, and then initiate a websocket connection to the _next/webpack-hmr endpoint.", "risk_and_exploitability": "The CVSS score of 2.3 indicates low severity, and an EPSS score of less than 1% shows a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the development server to be reachable from attacker\u2011controlled content, so the risk remains low unless the dev environment is exposed to untrusted networks. If exposed, an attacker can exploit the flaw by loading malicious content that issues a websocket request to /_next/webpack-hmr, bypassing the intended origin checks."}}}}, "created": "2026-03-18T10:42:27.135514+00:00", "updated": "2026-03-24T10:54:15.445726+00:00", "vendors": ["vercel", "vercel$PRODUCT$next.js"]}