CVE-2026-27977

Source
https://cve.org/CVERecord?id=CVE-2026-27977
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27977.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27977
Aliases
Downstream
Published
2026-03-17T23:56:24.631Z
Modified
2026-07-15T01:49:04.220271475Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Next.js: null origin can bypass dev HMR websocket CSRF checks
Details

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in next dev, cross-site protection for internal websocket endpoints could treat Origin: null as a bypass case even if allowedDevOrigins is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured allowedDevOrigins still allow connections from any origin. The issue is fixed in version 16.1.7 by validating Origin: null through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose next dev to untrusted networks and/or block websocket upgrades to /_next/webpack-hmr when Origin is null at the proxy.

Database specific
{
    "cwe_ids": [
        "CWE-1385"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27977.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/vercel/next.js

Affected ranges

Type
GIT
Repo
https://github.com/vercel/next.js
Events
Database specific
{
    "cpe": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "16.0.1"
        },
        {
            "fixed": "16.1.7"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v16.*
v16.0.1
v16.0.2-canary.0
v16.0.2-canary.1
v16.0.2-canary.10
v16.0.2-canary.11
v16.0.2-canary.12
v16.0.2-canary.13
v16.0.2-canary.14
v16.0.2-canary.15
v16.0.2-canary.16
v16.0.2-canary.17
v16.0.2-canary.18
v16.0.2-canary.19
v16.0.2-canary.2
v16.0.2-canary.20
v16.0.2-canary.21
v16.0.2-canary.22
v16.0.2-canary.23
v16.0.2-canary.24
v16.0.2-canary.25
v16.0.2-canary.26
v16.0.2-canary.27
v16.0.2-canary.28
v16.0.2-canary.29
v16.0.2-canary.3
v16.0.2-canary.30
v16.0.2-canary.31
v16.0.2-canary.32
v16.0.2-canary.33
v16.0.2-canary.34
v16.0.2-canary.4
v16.0.2-canary.5
v16.0.2-canary.6
v16.0.2-canary.7
v16.0.2-canary.8
v16.0.2-canary.9
v16.1.0
v16.1.0-canary.0
v16.1.0-canary.1
v16.1.0-canary.10
v16.1.0-canary.11
v16.1.0-canary.12
v16.1.0-canary.13
v16.1.0-canary.14
v16.1.0-canary.15
v16.1.0-canary.16
v16.1.0-canary.17
v16.1.0-canary.18
v16.1.0-canary.19
v16.1.0-canary.2
v16.1.0-canary.20
v16.1.0-canary.21
v16.1.0-canary.22
v16.1.0-canary.23
v16.1.0-canary.24
v16.1.0-canary.25
v16.1.0-canary.26
v16.1.0-canary.27
v16.1.0-canary.28
v16.1.0-canary.29
v16.1.0-canary.3
v16.1.0-canary.30
v16.1.0-canary.31
v16.1.0-canary.32
v16.1.0-canary.33
v16.1.0-canary.34
v16.1.0-canary.4
v16.1.0-canary.5
v16.1.0-canary.6
v16.1.0-canary.7
v16.1.0-canary.8
v16.1.0-canary.9
v16.1.1
v16.1.1-canary.0
v16.1.1-canary.1
v16.1.1-canary.10
v16.1.1-canary.11
v16.1.1-canary.12
v16.1.1-canary.13
v16.1.1-canary.14
v16.1.1-canary.15
v16.1.1-canary.16
v16.1.1-canary.17
v16.1.1-canary.18
v16.1.1-canary.19
v16.1.1-canary.2
v16.1.1-canary.20
v16.1.1-canary.21
v16.1.1-canary.22
v16.1.1-canary.23
v16.1.1-canary.24
v16.1.1-canary.25
v16.1.1-canary.26
v16.1.1-canary.27
v16.1.1-canary.28
v16.1.1-canary.29
v16.1.1-canary.3
v16.1.1-canary.30
v16.1.1-canary.31
v16.1.1-canary.32
v16.1.1-canary.33
v16.1.1-canary.34
v16.1.1-canary.35
v16.1.1-canary.36
v16.1.1-canary.4
v16.1.1-canary.5
v16.1.1-canary.6
v16.1.1-canary.7
v16.1.1-canary.8
v16.1.1-canary.9
v16.1.2
v16.1.3
v16.1.4
v16.1.5
v16.1.6
v16.2.0-canary.0
v16.2.0-canary.1
v16.2.0-canary.10
v16.2.0-canary.100
v16.2.0-canary.101
v16.2.0-canary.11
v16.2.0-canary.12
v16.2.0-canary.13
v16.2.0-canary.14
v16.2.0-canary.15
v16.2.0-canary.16
v16.2.0-canary.17
v16.2.0-canary.18
v16.2.0-canary.19
v16.2.0-canary.2
v16.2.0-canary.20
v16.2.0-canary.21
v16.2.0-canary.22
v16.2.0-canary.23
v16.2.0-canary.24
v16.2.0-canary.25
v16.2.0-canary.26
v16.2.0-canary.27
v16.2.0-canary.28
v16.2.0-canary.29
v16.2.0-canary.3
v16.2.0-canary.30
v16.2.0-canary.31
v16.2.0-canary.32
v16.2.0-canary.33
v16.2.0-canary.34
v16.2.0-canary.35
v16.2.0-canary.36
v16.2.0-canary.37
v16.2.0-canary.38
v16.2.0-canary.39
v16.2.0-canary.4
v16.2.0-canary.40
v16.2.0-canary.41
v16.2.0-canary.42
v16.2.0-canary.43
v16.2.0-canary.44
v16.2.0-canary.45
v16.2.0-canary.46
v16.2.0-canary.47
v16.2.0-canary.48
v16.2.0-canary.49
v16.2.0-canary.5
v16.2.0-canary.50
v16.2.0-canary.51
v16.2.0-canary.52
v16.2.0-canary.53
v16.2.0-canary.54
v16.2.0-canary.55
v16.2.0-canary.56
v16.2.0-canary.57
v16.2.0-canary.58
v16.2.0-canary.59
v16.2.0-canary.6
v16.2.0-canary.60
v16.2.0-canary.61
v16.2.0-canary.62
v16.2.0-canary.63
v16.2.0-canary.64
v16.2.0-canary.65
v16.2.0-canary.66
v16.2.0-canary.67
v16.2.0-canary.68
v16.2.0-canary.69
v16.2.0-canary.7
v16.2.0-canary.70
v16.2.0-canary.71
v16.2.0-canary.72
v16.2.0-canary.73
v16.2.0-canary.74
v16.2.0-canary.75
v16.2.0-canary.76
v16.2.0-canary.77
v16.2.0-canary.78
v16.2.0-canary.79
v16.2.0-canary.8
v16.2.0-canary.80
v16.2.0-canary.81
v16.2.0-canary.82
v16.2.0-canary.83
v16.2.0-canary.84
v16.2.0-canary.85
v16.2.0-canary.86
v16.2.0-canary.87
v16.2.0-canary.88
v16.2.0-canary.89
v16.2.0-canary.9
v16.2.0-canary.90
v16.2.0-canary.91
v16.2.0-canary.92
v16.2.0-canary.93
v16.2.0-canary.94
v16.2.0-canary.95
v16.2.0-canary.96
v16.2.0-canary.97
v16.2.0-canary.98
v16.2.0-canary.99

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27977.json"