CVE-2026-29057

Name of the Vulnerable Software and Affected Versions Next.js versions 9.5.0 through 15.5.13 and 16.1.7

Description Next.js, a React framework, is affected by an issue where crafted DELETE/OPTIONS requests using Transfer-Encoding: chunked can cause request boundary disagreement between a proxy and backend when Next.js rewrites proxy traffic to an external backend. This can lead to request smuggling through rewritten routes. An attacker could potentially smuggle a second request to unintended backend routes, such as internal or admin endpoints, bypassing access controls. This does not impact applications hosted on providers that handle rewrites at the Content Delivery Network (CDN) level, like Vercel. The root cause of the issue is in an upstream library used by Next.js. The issue occurs when a request is rewritten, and the proxy and backend disagree on where the request boundaries are located. The Transfer-Encoding: chunked header is used to send data in a series of chunks, and the vulnerability arises when the proxy and backend interpret these chunks differently. The affected API endpoints are / and any routes that are rewritten. The vulnerable parameters are those included in the DELETE and OPTIONS requests, specifically the Transfer-Encoding header with a value of chunked.

Recommendations Update Next.js to version 15.5.13 or 16.1.7. If upgrading is not immediately possible, block chunked DELETE/OPTIONS requests on rewritten routes at the edge/proxy. Enforce authentication/authorization on backend routes.