Next.js: null origin can bypass dev HMR websocket CSRF checks
GHSA-jcc7-9wpm-mj36 · CVE-2026-27977
Published · Modified
Description
Summary
In next dev, cross-site protections for internal development endpoints could treat Origin: null as a bypass case even when allowedDevOrigins is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.
Impact
If a developer visits attacker-controlled content while running an affected next dev server with allowedDevOrigins configured, attacker-controlled browser code may be able to connect to internal development endpoints and interact with sensitive dev-server functionality that should have remained blocked.
This issue affects development mode only. It does not affect next start, and it does not expose internal debugging functionality to the network by default.
Patches
Fixed by validating Origin: null through the same cross-site origin-allowance checks used for other origins on internal development endpoints.
Workarounds
If upgrade is not immediately possible:
- Do not expose
next devto untrusted networks. - If you use
allowedDevOrigins, reject requests and websocket upgrades withOrigin: nullfor internal dev endpoints at your proxy.
References
- WEB https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-27977
- WEB https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a
- PACKAGE https://github.com/vercel/next.js
- WEB https://github.com/vercel/next.js/releases/tag/v16.1.7
Ready to move
Start Securing
Free, no credit card | First findings in minutes