GHSA-jcc7-9wpm-mj36
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jcc7-9wpm-mj36
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-jcc7-9wpm-mj36/GHSA-jcc7-9wpm-mj36.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jcc7-9wpm-mj36
- Aliases
- Published
- 2026-03-17T15:29:48Z
- Modified
- 2026-03-25T19:49:01.129152Z
- Severity
-
- 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Next.js: null origin can bypass dev HMR websocket CSRF checks
- Details
-
Summary
In
next dev, cross-site protections for internal development endpoints could treatOrigin: nullas a bypass case even whenallowedDevOriginsis configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.Impact
If a developer visits attacker-controlled content while running an affected
next devserver withallowedDevOriginsconfigured, attacker-controlled browser code may be able to connect to internal development endpoints and interact with sensitive dev-server functionality that should have remained blocked.This issue affects development mode only. It does not affect
next start, and it does not expose internal debugging functionality to the network by default.Patches
Fixed by validating
Origin: nullthrough the same cross-site origin-allowance checks used for other origins on internal development endpoints.Workarounds
If upgrade is not immediately possible: - Do not expose
next devto untrusted networks. - If you useallowedDevOrigins, reject requests and websocket upgrades withOrigin: nullfor internal dev endpoints at your proxy. - Database specific
{ "cwe_ids": [ "CWE-1385" ], "github_reviewed_at": "2026-03-17T15:29:48Z", "nvd_published_at": "2026-03-18T00:16:19Z", "severity": "LOW", "github_reviewed": true }- References
Affected packages
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next