CVE-2025-29927

Published Mar 21, 2025

Last updated 6 months ago

CVSS critical 9.1
React
Next.js

Overview

Description
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Source
security-advisories@github.com
NVD status
Analyzed
Products
next.js

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-285
nvd@nist.gov
CWE-863

Social media

Hype score
Not currently trending

  1. A vibe-coded Next.js app got a cryptominer. Not from bad prompting. Not from a bad model. The AI pinned a vulnerable dependency. The app passed functional tests. Nobody asked "why this version?" Attacker found CVE-2025-29927. Middleware bypass. Mining binary. 100% CPU. AI

    @gremlinworks_

    17 Mar 2026

    101 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 1/4: Next.js sitenizin kapısını açık mı bıraktınız? (CVE-2025-29927) 🚨 Tüm auth ve CSP katmanınızı tek bir header ile geçmek mümkün. Şu anki meta: **x-middleware-subrequest** suistimali. Nasıl çalıştığını ve korunma yollarını inceleyelim. 🧵 2/

    @logapsec

    10 Mar 2026

    153 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  3. I just completed Next.js: CVE-2025-29927 room on TryHackMe! Explore an authorisation bypass vulnerability in Next.js. https://t.co/UNic0BXic5 #tryhackme via @tryhackme

    @ToTo13ru_xakep

    9 Mar 2026

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 Nextjs Middleware Bypass Flaw (#CVE-2025-29927): A Deep Dive into the Vulnerability and How to Secure Your Apps + Video https://t.co/EkI4a9gG6E Educational Purposes!

    @UndercodeUpdate

    23 Feb 2026

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. I just completed Next.js: CVE-2025-29927 room on TryHackMe! Explore an authorisation bypass vulnerability in Next.js. https://t.co/mHFw7nPj0s #tryhackme via @tryhackme

    @acupunc28094787

    22 Feb 2026

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 CVE-2026-1281 Critical Code Injection in Ivanti EPMM: What You Should Know 🚨 Discover the key information you need to know about CVE-2025-29927, an authentication bypass vulnerability in the middleware layer in Vercel’s Next.js. Learn more: https://t.co/FBnEhbfv8Y htt

    @pluralsight

    3 Feb 2026

    1136 Impressions

    0 Retweets

    0 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 Next.js Middleware Auth Bypass (CVE-2025-29927 | CVSS 9.1) One trusted header. Skipped middleware. Full app compromise. Our research shows how a single request leads to auth bypass, LFI & server takeover. Full blog: https://t.co/s20LKcdmiF Connect - https://t.co/wRAYxGeO

    @consult_secnuo

    28 Jan 2026

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-29927: Next.js Middleware Bypass: When 'I'm With The Band' Actually Works https://t.co/YkiB6BgVG9 #security #cybersecurity #cve #ghsa

    @_cvereports

    12 Jan 2026

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Top 5 Trending CVEs: 1 - CVE-2025-43533 2 - CVE-2023-29218 3 - CVE-2026-20029 4 - CVE-2025-55182 5 - CVE-2025-29927 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    11 Jan 2026

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. HackTheBox - Previous ⚙️ Authorization Bypass en Next.js (CVE-2025-29927) 📂 Descarga de archivos via Path Traversal 🔑 Credenciales para SSH 🚀 Privesc con sudo y Terraform https://t.co/qmQvcGDXzd

    @sckull_

    10 Jan 2026

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Previous from @hackthebox_eu features CVE-2025-29927 (NextJS middleware auth bypass), directory traversal for file read, and three ways to abuse a Terraform sudo rule with !env_reset to get root. https://t.co/8wz1Fnbz38

    @0xdf_

    10 Jan 2026

    1974 Impressions

    5 Retweets

    32 Likes

    8 Bookmarks

    1 Reply

    0 Quotes

  12. Best of 2025: CVE-2025-29927 – Understanding the Next.js Middleware Vulnerability - Security Boulevard https://t.co/7C55OcSEEd

    @PVynckier

    4 Jan 2026

    116 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Day 79 of #100DaysOfCybersecurity🛡️ Next.js CVE-2025-29927 lab completed ✅ Analyzed an authorization bypass where a crafted HTTP header skips middleware checks and exposes protected routes ⚠️ Affects Next.js versions before 14.2.25 and 15.2.3. Patch now. https://t.

    @HezyChacha

    31 Dec 2025

    23 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  14. I just completed Next.js: CVE-2025-29927 room on TryHackMe. Explore an authorisation bypass vulnerability in Next.js. https://t.co/VQjqTYrVDA #tryhackme via @tryhackme

    @HezyChacha

    31 Dec 2025

    36 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  15. به تازگی گروه هکری با نام PCPcat از دو آسیب پذیری با کد های شناسایی CVE-2025-29927 و CVE-2025-66478 برای نفوذ به سرورها استفاده می کنند. یکی از این آسیب پذیری ها مربوط به آسی

    @AmirHossein_sec

    25 Dec 2025

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. Operation PCPcat Hacked 59,000+ Next.js/React Servers Within 48 Hours A massive credential-theft campaign dubbed PCPcat compromised 59,128 Next.js servers in under 48 hours. The operation exploits critical vulnerabilities CVE-2025-29927 and CVE-2025-66478, achieving a 64.6%

    @redhuvivek09

    25 Dec 2025

    161 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  17. 🚨 Operation PCPcat: Credential-Stealing Campaign Hijacks 59,000+ Next.js Servers via React/Next.js RCE A mass exploitation campaign is compromising internet-facing Next.js deployments by chaining CVE-2025-29927 and CVE-2025-66478 for RCE, then scraping high-value secrets (.env

    @ThreatSynop

    25 Dec 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨 Operation PCPcat Hacked 59,000+ Next.js/React Servers Within 48 Hours Source: https://t.co/O09ua70IX0 A massive credential-theft campaign dubbed PCPcat compromised 59,128 Next.js servers in under 48 hours. The operation exploits critical vulnerabilities CVE-2025-29927 and

    @The_Cyber_News

    24 Dec 2025

    4808 Impressions

    34 Retweets

    95 Likes

    28 Bookmarks

    3 Replies

    1 Quote

  19. 59,128台のNext.jsサーバが48時間でハッキングされた。Beelzebub社報告。CVE-2025-29927とCVE-2025-66478の連鎖。攻撃成功率は64.6%。C2サーバ偵察による調査。活動をOperation PCPcatと命名。 https://t.co/FIwX4EOrYX

    @__kokumoto

    24 Dec 2025

    3471 Impressions

    14 Retweets

    46 Likes

    16 Bookmarks

    0 Replies

    1 Quote

  20. PCPcat malware compromises 59,000+ servers in under 48 hours via React2Shell exploit, abusing .js/React RCE flaws CVE-2025-29927 and CVE-2025-66478 for unauthenticated remote code execution. #Malware https://t.co/3iSPlAiBTl

    @threatcluster

    15 Dec 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. I just completed Next.js: CVE-2025-29927 room on TryHackMe. Explore an authorisation bypass vulnerability in Next.js. https://t.co/FxrOM7K1yV #tryhackme via @tryhackme

    @mXgarweg

    13 Dec 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. ⚠️ SCASH Wallet 安全通报 & 服务状态更新 经过紧急维护,我们的网页钱包现已恢复正常。 区块链浏览器将会在24小时内恢复。 这次问题源自 Next.js 的一个已公开漏洞(CVE-2025-29927)。该漏洞允许攻击者通过构

    @Hysanalde

    8 Dec 2025

    1267 Impressions

    7 Retweets

    23 Likes

    2 Bookmarks

    5 Replies

    0 Quotes

  23. 🚨 Even popular frameworks like Next.js can have serious flaws… Just completed the Next.js: CVE-2025-29927 room on @TryHackMe 🧠💻 Dug into an authorization bypass vulnerability and how attackers can exploit weak access control. 🔗 https://t.co/7npcdvpCc5 #TryHackMe

    @BlackLightning5

    24 Nov 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. CVE-2025-29927 https://t.co/fmtDlTNkXc

    @ExWareLabs

    19 Nov 2025

    46 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  25. Want to learn a way to find those hard-hitting critical vulnerabilities? 🐛 CVE-2025-29927 is a vulnerability in Next.JS that can lead to a complete authorization bypass. Watch the video below to get a quick peek and then try the lab yourself 👇 https://t.co/zC6GAAqOB0… h

    @Kimcheater_

    16 Nov 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. Next.jsのMiddlewareで認証している方はすぐに確認を!認可バイパス脆弱性(CVE-2025-29927)の解説と対策 https://t.co/IrxQiIPHiR #Qiita

    @keigoriankami

    10 Nov 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. CVE-2025-29927 - #Next.js Auth Bypass PoC https://t.co/AJsKE1EMUA #hacking

    @hack4lifemx

    6 Nov 2025

    101 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. Want to learn a way to find those hard-hitting critical vulnerabilities? 🐛 CVE-2025-29927 is a vulnerability in Next.JS that can lead to a complete authorization bypass. Watch the video below to get a quick peek and then try the lab yourself 👇 https://t.co/U8HN812Oey http

    @hackinghub_io

    5 Nov 2025

    6422 Impressions

    23 Retweets

    122 Likes

    91 Bookmarks

    1 Reply

    0 Quotes

  29. Post 1/30 : CVE-2025-29927 How to find Vulnerable Assets for it! Steps; 1. Get all domains and IPS Domains >> Subfinder -dL list-of-domain.txt -o subdomains.txt IPs >> shodan search "ssl:'domain.tld'" --fields ip_str --limit 1000 >> ips.txt 2. find their op

    @h4x0r_fr34k

    19 Oct 2025

    11773 Impressions

    31 Retweets

    249 Likes

    272 Bookmarks

    1 Reply

    1 Quote

  30. Day 1/30 : CVE-2025-29927 How to find Vulnerable Assets for it! Steps; 1. Get all domains and IPS Domains >> Subfinder -dL list-of-domain.txt -o subdomains.txt IPs >> shodan search "ssl:'domain.tld'" --fields ip_str --limit 1000 >> ips.txt 2. find their ope

    @h4x0r_fr34k

    19 Oct 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. I was awarded a $290 bounty on @Hacker0x01! https://t.co/5dbKBrWp1S #TogetherWeHitHarder #bugbountytips Tip: CVE-2025-29927 via /admin https://t.co/sERtc8B1ks

    @exploit_msf

    4 Oct 2025

    3254 Impressions

    2 Retweets

    127 Likes

    15 Bookmarks

    2 Replies

    0 Quotes

  32. 🚨 ¡Nuevo vídeo disponible! Explotando el CVE-2025-29927 en un middleware vulnerable 💥 Desde la detección hasta la PoC funcional. ✅ Identificar versión vulnerable ✅ Conectar Burp y analizar 🎯 Pensamiento ofensivo aplicado. No teoría. 📺 https://t.co/Noy9UEmX

    @gorkaelbochi

    20 Sept 2025

    74 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  33. 🚨CVE-2025-29927: Next.js Middleware Bypass Vulnerability PoC: https://t.co/olD5JesWY1 Credit: https://t.co/3XCm1VLLsI https://t.co/nIJFC7hjf4

    @DarkWebInformer

    17 Sept 2025

    7723 Impressions

    19 Retweets

    97 Likes

    52 Bookmarks

    0 Replies

    1 Quote

  34. 🚨 ¡Nuevo vídeo ya disponible! 📽️ Explotando el CVE-2025-29927 paso a paso 🧠 Middleware vulnerable → PoC funcional → ejecución real ✅ Detectar versión vulnerable ✅ Analizar el flujo ✅ Construir PoC ✅ Explotación práctica 📺 https://t.co/Noy9UEmXIo

    @gorkaelbochi

    16 Sept 2025

    81 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  35. 💡 ⚒️ ✏️  Ghost-Route - Ghost Route Detects If A Next JS Site Is Vulnerable To The Corrupt Middleware Bypass Bug (CVE-2025-29927) https://t.co/cDC5TeXhMw

    @pedri77

    15 Sept 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. 🚨 Este martes 16 a las 20:00 subo vídeo: Explotación paso a paso del CVE-2025-29927 🧠 ¿El objetivo? Un middleware vulnerable. Verás: ✅ Qué es middleware ✅ Cómo detectar la versión vulnerable ✅ Cómo explotarlo (real) 💥 Sin teoría. Todo práctico. 💞 ht

    @gorkaelbochi

    15 Sept 2025

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. I just completed Next.js: CVE-2025-29927 room on TryHackMe. Explore an authorisation bypass vulnerability in Next.js. https://t.co/3sLnz8REQ3 #tryhackme via @realtryhackme

    @vinnykosgeii

    13 Sept 2025

    62 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  38. 🚨 Next.js CVE-2025-29927 – Authentication Bypass Explained 🔎 What Happened? A critical vulnerability in Next.js middleware (CVE-2025-29927, CVSS 9.1) allows attackers to bypass authentication and authorization checks. The root cause: improper trust of an internal header

    @AnonOzzyDude

    8 Sept 2025

    55 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  39. 🚨 Unmasking #CVE-2025-29927: The Nextjs Framework Flaw Every Hunter Must Understand https://t.co/ReHVZzwlgw Educational Purposes!

    @UndercodeUpdate

    7 Sept 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. Next.jsフレームワークに新たに発見された重大な脆弱性CVE-2025-29927は、 認可機構を完全に回避できる恐れがあり、Webアプリケーションに深刻な影響を及ぼす可能性がある。 問題はx-middleware-subrequestヘッダの不適

    @yousukezan

    1 Sept 2025

    1947 Impressions

    6 Retweets

    15 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  41. VIDEO POC CVE-2025-29927 https://t.co/hyIIbdPgCe

    @h4x0r_fr34k

    1 Sept 2025

    733 Impressions

    3 Retweets

    26 Likes

    7 Bookmarks

    0 Replies

    0 Quotes

  42. CVE-2025-29927: Next.js Middleware Authorization Bypass https://t.co/3F4JkIEfkt #news

    @packet_storm

    1 Sept 2025

    460 Impressions

    2 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  43. 【Next.js重大脆弱性で認証バイパス】Next.jsフレームワークに重大な脆弱性CVE-2025-29927が発見され、攻撃者がx-middleware-subrequestヘッダーの不適切な処理を悪用してミドルウェアベースの認証チェックを完全にバイ

    @nakajimeeee

    1 Sept 2025

    482 Impressions

    0 Retweets

    2 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  44. 🚨 CVE-2025-29927 – Next.js Middleware Bypass A deep technical dive into how x-middleware-subrequest can be exploited to bypass auth checks in Next.js apps. Read the full write-up here 👇 https://t.co/aW3qQjK5oO #NextJS #CVE2025 #WebSecurity #Pentesting #Hacking #BugBoun

    @NullSecurityX

    31 Aug 2025

    2339 Impressions

    10 Retweets

    67 Likes

    36 Bookmarks

    2 Replies

    1 Quote

  45. New YouTube video 😸🔥 🐧Extract | TryHackMe | CVE-2025-29927 | SSRF😸🛸 🐧 TryHackMe Extract Video link in first comment: ⤵️⤵️⤵️🦜🦜🦜 https://t.co/MM57CQhWfT

    @DjalilAyed

    25 Aug 2025

    626 Impressions

    0 Retweets

    4 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  46. ⚠️ Weekly vuln radar. https://t.co/Cd6L8ACyLV – spot what’s trending before it’s everywhere: CVE-2025-29927 CVE-2025-43300 CVE-2025-57788 (@chudyPB, Sonny) CVE-2025-9132 (@GoogleDeepMind) CVE-2025-9074 CVE-2025-57790 CVE-2025-57789 CVE-2025-57791 CVE-2024-41787

    @ptdbugs

    22 Aug 2025

    127 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. CVE-2025-29927 Exploitation : X-Nextjs-Data: 1 X-Middleware-Subrequest: src/middleware:nowaf:src/middleware:src/middleware:src/middleware:src/middleware:middleware:middleware:nowaf:middleware:middleware:middleware:pages/_middleware https://t.co/yMOPQxUFiP

    @h4x0r_fr34k

    21 Aug 2025

    9684 Impressions

    57 Retweets

    246 Likes

    162 Bookmarks

    1 Reply

    0 Quotes

  48. In March, @vercel faced intense criticism for a critical 9.1-rated vulnerability (CVE-2025-29927) in Next.js middleware, with many accusing the company of slow disclosure and poor communication with customers. Competing tech CEOs publicly called out Vercel’s handling of the iss

    @RoryCrave

    12 Aug 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. (🧵Thread) 🔎 In this week’s Threat Alert Newsletter: CVE-2025-29927, an authentication bypass in Next.js is drawing fresh attention from attackers. CrowdSec CTI has observed a sharp uptick in exploitation attempts across our global network. We break down why this 3-month-

    @Crowd_Security

    4 Aug 2025

    303 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  50. PoC CVE-2025-29927: Middleware Bypass + RCE in Next.js | Python Exploit | Bug Hunters & Ethical Hacking. Link to the video on YouTube, please subscribe. https://t.co/QBotfpZyMd https://t.co/ROW4tOJC6E

    @Z3R0NYX

    28 Jul 2025

    160 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in an upstream library vendored by Next.js. It is fixed in Next.js 15.5.13 and 16.1.7 by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. If upgrading is not immediately possible, block chunked `DELETE`/`OPTIONS` requests on rewritten routes at the edge/proxy, and/or enforce authentication/authorization on backend routes.CVE-2026-29057
  2. Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client.CVE-2026-27979
  3. Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).CVE-2026-27980
  4. Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.CVE-2026-27978
  5. Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy.CVE-2026-27977

References

Sources include official advisories and independent security research.