CVE-2026-29057
published 2026-03-18CVE-2026-29057: Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js…
PriorityP340medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.43%
34.2th percentile
Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in an upstream library vendored by Next.js. It is fixed in Next.js 15.5.13 and 16.1.7 by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. If upgrading is not immediately possible, block chunked `DELETE`/`OPTIONS` requests on rewritten routes at the edge/proxy, and/or enforce authentication/authorization on backend routes.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 16.0.0-beta.0 < 16.1.7 | 16.1.7 |
| next | next | >= 9.5.0 < 15.5.13 | 15.5.13 |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | >= 16.0.0 < 16.1.7 | 16.1.7 |
| vercel | next.js | >= 9.5.0 < 15.5.13 | 15.5.13 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv4.06.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
next.js: Next.js: HTTP request smuggling in rewrites
vendor_redhat·2026-03-18·CVSS 6.3
CVE-2026-29057 [MEDIUM] CWE-444 next.js: Next.js: HTTP request smuggling in rewrites
next.js: Next.js: HTTP request smuggling in rewrites
Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in
OSV
Next.js: HTTP request smuggling in rewrites
osv·2026-03-17
CVE-2026-29057 [MEDIUM] Next.js: HTTP request smuggling in rewrites
Next.js: HTTP request smuggling in rewrites
## Summary
When Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.
## Impact
An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.
## Patches
The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so `content-length: 0
GHSA
Next.js: HTTP request smuggling in rewrites
ghsa·2026-03-17
CVE-2026-29057 [MEDIUM] CWE-444 Next.js: HTTP request smuggling in rewrites
Next.js: HTTP request smuggling in rewrites
## Summary
When Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.
## Impact
An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.
## Patches
The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so `content-length: 0
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-29057 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-29057 [MEDIUM] CVE-2026-29057 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29057 :
ASP.NET Core vulnerability analysis and mitigation
DELETE
OPTIONS
Transfer-Encoding: chunked
content-length: 0
content-length
transfer-encoding
transfer-encoding
DELETE
OPTIONS
Source : NVD
## 6.3
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
ASP.NET Core
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
dotnet-targeting-pack-7.0
langfuse-2
Sources
NVD
Chainguard Has Fix Added at: Mar 20, 2026
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
Wolfi Has Fix Added at: Mar 20, 2026
Wiz
GHSA-5j59-xgg2-r9c4 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-55184 [HIGH] GHSA-5j59-xgg2-r9c4 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5j59-xgg2-r9c4 :
Next.js vulnerability analysis and mitigation
It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779 .
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustaine
Wiz
GHSA-w37m-7fhw-fmv9 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-55183 [MEDIUM] GHSA-w37m-7fhw-fmv9 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-w37m-7fhw-fmv9 :
Next.js vulnerability analysis and mitigation
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183 .
A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions . This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.
Source : NVD
## 5.3
Score
Published December 11, 2025
Severity MEDIUM
CNA Score N/A
Affected Technologies
Next.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Da
Wiz
CVE-2025-59472 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-59472 [MEDIUM] CVE-2025-59472 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59472 :
ASP.NET Core vulnerability analysis and mitigation
Next-Resume: 1
Buffer.concat()
inflateSync()
FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory
experimental.ppr: true
cacheComponents: true
Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Source : NVD
## 7.5
Score
Published January 26, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
ASP.NET Core
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
dotnet7.0
dotnet-sdk-7.0
Sources
NVD
Chainguard Has Fix Added at: F
Wiz
CVE-2026-27978 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27978 [MEDIUM] CVE-2026-27978 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27978 :
ASP.NET Core vulnerability analysis and mitigation
origin: null
'null'
'null'
experimental.serverActions.allowedOrigins
SameSite=Strict
'null'
serverActions.allowedOrigins
Source : NVD
## 5.3
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
ASP.NET Core
.NET Core SDK
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-templates-7.0
netstandard-targeting-pack-2.1
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in
Wiz
GHSA-mwv6-3258-q52c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-55184 [HIGH] GHSA-mwv6-3258-q52c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mwv6-3258-q52c :
Next.js vulnerability analysis and mitigation
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184 .
A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
Source : NVD
## 7.5
Score
Published December 11, 2025
Severity HIGH
CNA Score N/A
Affected Technologies
Next.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
Wiz
CVE-2026-27977 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-27977 [LOW] CVE-2026-27977 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27977 :
ASP.NET Core vulnerability analysis and mitigation
next dev
Origin: null
allowedDevOrigins
allowedDevOrigins
Origin: null
next dev
/_next/webpack-hmr
Origin
null
Source : NVD
## 2.3
Score
Published March 18, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
ASP.NET Core
.NET Core SDK
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-targeting-pack-7.0
dotnet-templates-7.0
Sources
NVD
npm Severity LOW Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2026-27979 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27979 [MEDIUM] CVE-2026-27979 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27979 :
ASP.NET Core vulnerability analysis and mitigation
next-resume: 1
maxPostponedStateSize
experimental.ppr
cacheComponents
next-resume
next-resume
Source : NVD
## 6.9
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
ASP.NET Core
.NET Core SDK
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-sdk-7.0
dotnet-sdk-7.0-source-built-artifacts
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focu
Wiz
CVE-2025-59471 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-59471 [MEDIUM] CVE-2025-59471 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59471 :
ASP.NET Core vulnerability analysis and mitigation
remotePatterns
/_next/image
remotePatterns
Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Source : NVD
## 7.5
Score
Published January 26, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
ASP.NET Core
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-sdk-7.0
dotnet-sdk-7.0-source-built-artifacts
Sources
NVD
Chainguard Has Fix Added at: Feb 10, 2026
npm Severity MEDIUM Has Fix Added at: Jan 28, 2026
Red Hat 7, 8, 9, 10 Severity MEDIUM No Fix Added
Wiz
CVE-2026-27980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27980 [MEDIUM] CVE-2026-27980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27980 :
ASP.NET Core vulnerability analysis and mitigation
/_next/image
images.maximumDiskCacheSize
maximumDiskCacheSize: 0
.next/cache/images
images.localPatterns
images.remotePatterns
images.qualities
Source : NVD
## 6.9
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
ASP.NET Core
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
langfuse-3
langfuse-2
Sources
NVD
Chainguard Has Fix Added at: Mar 20, 2026
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
Wolfi Has Fix Added at: Mar 20, 2026
2026-03-18
Published