Radu33

**Name of the Vulnerable Software and Affected Versions** Next.js versions 16.0.1 through 16.1.6 **Description** Next.js, a React framework for building full-stack web applications, had a flaw in its development mode (`next dev`) where cross-site protection for internal websocket endpoints could incorrectly allow connections from contexts with a `Origin: null` header, even when `allowedDevOrigins` was configured. This could allow an attacker with access to attacker-controlled content to connect to the Hot Module Replacement (HMR) websocket channel and potentially interact with development websocket traffic. The issue only affects development mode. Applications without a configured `allowedDevOrigins` were also susceptible, allowing connections from any origin. The API endpoint `/ next/webpack-hmr` is involved in this issue. The `Origin` variable is a key factor in the vulnerability. **Recommendations** Next.js versions prior to 16.1.7 should be updated to version 16.1.7 or later to validate the `Origin: null` header using the same cross-site origin checks as other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks. As an additional measure, block websocket upgrades to the `/ next/webpack-hmr` endpoint when the `Origin` header is `null` at the proxy.