Cross-Site Protection Issue in Next.js Framework by Vercel
CVE-2026-27977

2.3LOW

Key Information:

Vendor

Vercel
Status
Next.js
Vendor
CVE Published:
17 March 2026

What is CVE-2026-27977?

The Next.js framework, used for building full-stack web applications, had a vulnerability in versions 16.0.1 to 16.1.6 where the development mode could mistakenly allow connections from sensitive contexts through internal websocket endpoints. This security issue arises when the dev server is accessible from attacker-controlled content, leading to potential unauthorized access to the Hot Module Replacement (HMR) websocket channel. The flaw allowed 'Origin: null' to be treated as a valid origin despite configurations in 'allowedDevOrigins'. It is crucial for developers to upgrade to version 16.1.7 or mitigate the exposure of the development server to untrusted networks to avoid exploitation.

Affected Version(s)

next.js >= 16.0.1, < 16.1.7

References

https://github.com/vercel/next.js/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/vercel/next.js/commit/862f9b9bb41d235e...
x_refsource_MISC
https://github.com/vercel/next.js/releases/tag/v16.1.7
x_refsource_MISC

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.