CVE-2026-27977

Description

## Summary In `next dev`, cross-site protections for internal development endpoints could treat `Origin: null` as a bypass case even when [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly. ## Impact If a developer visits attacker-controlled content while running an affected `next dev` server with [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) configured, attacker-controlled browser code may be able to connect to internal development endpoints and interact with sensitive dev-server functionality that should have remained blocked. This issue affects development mode only. It does not affect `next start`, and it does not expose internal debugging functionality to the network by default. ## Patches Fixed by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins on internal development endpoints. ## Workarounds If upgrade is not immediately possible: - Do not expose `next dev` to untrusted networks. - If you use [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins), reject requests and websocket upgrades with `Origin: null` for internal dev endpoints at your proxy.

How to fix CVE-2026-27977

To remediate CVE-2026-27977, upgrade the affected package to a fixed version below.

—upgrade to 16.1.7 or later

Is CVE-2026-27977 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 16.0.1, < 16.1.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N