CVE-2026-27977: Next.js: null origin can bypass dev HMR websocket CSRF checks

March 17, 2026 (updated March 19, 2026)

In next dev, cross-site protection for internal websocket endpoints could treat Origin: null as a bypass case even if allowedDevOrigins is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly.

References

github.com/advisories/GHSA-jcc7-9wpm-mj36
github.com/vercel/next.js
github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a
github.com/vercel/next.js/releases/tag/v16.1.7
github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36
nvd.nist.gov/vuln/detail/CVE-2026-27977

Code Behaviors & Features

Detect and mitigate CVE-2026-27977 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →