Fluid Attacks Database

Description

A CSRF check bypass flaw has been discovered in Next.js. In the next dev, cross-site protection for internal websocket endpoints could treat Origin: null as a bypass case even if allowedDevOrigins is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured allowedDevOrigins still allow connections from any origin.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel9	dotnet7.0	-	-
npm	next	>=16.0.1 <16.1.7	16.1.7

Aliases

1. CVE-2026-279772. NVD-2026-279773. OSV-2026-279774. GHSA-jcc7-9wpm-mj365. GCVE-2026-27977

References

1. https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj362. https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a3. https://github.com/vercel/next.js/releases/tag/v16.1.7

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.