CVE-2026-27977

Name of the Vulnerable Software and Affected Versions Next.js versions 16.0.1 through 16.1.6

Description Next.js, a React framework for building full-stack web applications, had a flaw in its development mode (next dev) where cross-site protection for internal websocket endpoints could incorrectly allow connections from contexts with a Origin: null header, even when allowedDevOrigins was configured. This could allow an attacker with access to attacker-controlled content to connect to the Hot Module Replacement (HMR) websocket channel and potentially interact with development websocket traffic. The issue only affects development mode. Applications without a configured allowedDevOrigins were also susceptible, allowing connections from any origin. The API endpoint / next/webpack-hmr is involved in this issue. The Origin variable is a key factor in the vulnerability.

Recommendations Next.js versions prior to 16.1.7 should be updated to version 16.1.7 or later to validate the Origin: null header using the same cross-site origin checks as other origins. If upgrading is not immediately possible, do not expose next dev to untrusted networks. As an additional measure, block websocket upgrades to the / next/webpack-hmr endpoint when the Origin header is null at the proxy.