PT-2026-25908 · Npm · Next
Published
2026-03-17
·
Updated
2026-03-17
·
CVE-2026-27977
CVSS v4.0
2.3
| Vector | AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
In
next dev, cross-site protection for internal websocket endpoints could treat Origin: null as a bypass case even if allowedDevOrigins is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly.Impact
If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only.
Apps without a configured
allowedDevOrigins still allow connections from any origin.Patches
Fixed by validating
Origin: null through the same cross-site origin-allowance checks used for other origins.Workarounds
If upgrade is not immediately possible:
- Do not expose
next devto untrusted networks. - Block websocket upgrades to
/ next/webpack-hmrwhenOriginisnullat your proxy.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Next