CVE-2026-27977
published 2026-03-18CVE-2026-27977: Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site…
PriorityP428medium5.4CVSS 3.1
AVNACLPRNUIRSUCLILAN
EPSS
0.17%
6.8th percentile
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 16.0.1 < 16.1.7 | 16.1.7 |
| vercel | next.js | — | — |
| vercel | next.js | >= 16.0.1 < 16.1.7 | 16.1.7 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat2.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Next.js: null origin can bypass dev HMR websocket CSRF checks
ghsa·2026-03-17
CVE-2026-27977 [LOW] CWE-1385 Next.js: null origin can bypass dev HMR websocket CSRF checks
Next.js: null origin can bypass dev HMR websocket CSRF checks
## Summary
In `next dev`, cross-site protections for internal development endpoints could treat `Origin: null` as a bypass case even when [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.
## Impact
If a developer visits attacker-controlled content while running an affected `next dev` server with [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) configured, attacker-controlled browser code may be able to connect to internal development endpoints a
OSV
Next.js: null origin can bypass dev HMR websocket CSRF checks
osv·2026-03-17
CVE-2026-27977 [LOW] Next.js: null origin can bypass dev HMR websocket CSRF checks
Next.js: null origin can bypass dev HMR websocket CSRF checks
## Summary
In `next dev`, cross-site protections for internal development endpoints could treat `Origin: null` as a bypass case even when [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.
## Impact
If a developer visits attacker-controlled content while running an affected `next dev` server with [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) configured, attacker-controlled browser code may be able to connect to internal development endpoints a
Red Hat
next.js: Next.js: null origin can bypass dev HMR websocket CSRF checks
vendor_redhat·2026-03-17·CVSS 2.3
CVE-2026-27977 [LOW] CWE-346 next.js: Next.js: null origin can bypass dev HMR websocket CSRF checks
next.js: Next.js: null origin can bypass dev HMR websocket CSRF checks
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating
No detection rules found.
No public exploits indexed.
Wiz
GHSA-5j59-xgg2-r9c4 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-55184 [HIGH] GHSA-5j59-xgg2-r9c4 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5j59-xgg2-r9c4 :
Next.js vulnerability analysis and mitigation
It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779 .
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustaine
Wiz
GHSA-w37m-7fhw-fmv9 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-55183 [MEDIUM] GHSA-w37m-7fhw-fmv9 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-w37m-7fhw-fmv9 :
Next.js vulnerability analysis and mitigation
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183 .
A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions . This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.
Source : NVD
## 5.3
Score
Published December 11, 2025
Severity MEDIUM
CNA Score N/A
Affected Technologies
Next.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Da
Wiz
GHSA-mwv6-3258-q52c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-55184 [HIGH] GHSA-mwv6-3258-q52c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mwv6-3258-q52c :
Next.js vulnerability analysis and mitigation
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184 .
A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
Source : NVD
## 7.5
Score
Published December 11, 2025
Severity HIGH
CNA Score N/A
Affected Technologies
Next.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
Wiz
CVE-2026-27977 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-27977 [LOW] CVE-2026-27977 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27977 :
ASP.NET Core vulnerability analysis and mitigation
next dev
Origin: null
allowedDevOrigins
allowedDevOrigins
Origin: null
next dev
/_next/webpack-hmr
Origin
null
Source : NVD
## 2.3
Score
Published March 18, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
ASP.NET Core
.NET Core SDK
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-targeting-pack-7.0
dotnet-templates-7.0
Sources
NVD
npm Severity LOW Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
2026-03-18
Published