CVE-2026-27977

EPSS 0.01%

Next.js: null origin can bypass dev HMR websocket CSRF checks

Published: 3/17/2026Modified: 3/25/2026

Description

## Summary In `next dev`, cross-site protections for internal development endpoints could treat `Origin: null` as a bypass case even when [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly. ## Impact If a developer visits attacker-controlled content while running an affected `next dev` server with [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) configured, attacker-controlled browser code may be able to connect to internal development endpoints and interact with sensitive dev-server functionality that should have remained blocked. This issue affects development mode only. It does not affect `next start`, and it does not expose internal debugging functionality to the network by default. ## Patches Fixed by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins on internal development endpoints. ## Workarounds If upgrade is not immediately possible: - Do not expose `next dev` to untrusted networks. - If you use [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins), reject requests and websocket upgrades with `Origin: null` for internal dev endpoints at your proxy.

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (5)