CVE-2026-27977: Next.js: null origin can bypass dev HMR websocket CSRF checks

March 17, 2026 (updated March 25, 2026)

In next dev, cross-site protections for internal development endpoints could treat Origin: null as a bypass case even when allowedDevOrigins is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.

References

github.com/advisories/GHSA-jcc7-9wpm-mj36
github.com/vercel/next.js
github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a
github.com/vercel/next.js/releases/tag/v16.1.7
github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36
nvd.nist.gov/vuln/detail/CVE-2026-27977

Code Behaviors & Features

Detect and mitigate CVE-2026-27977 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →