CVE-2026-29057

Description

## Summary When Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. ## Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. ## Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. ## Workarounds If upgrade is not immediately possible: - Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our [security guidance](https://nextjs.org/docs/app/guides/data-security).

How to fix CVE-2026-29057

To remediate CVE-2026-29057, upgrade the affected package to a fixed version below.

• —upgrade to 16.1.7 or later

Is CVE-2026-29057 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 16.0.0-beta.0, < 16.1.7

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-29057
• PATCHgithub.com/vercel/next.js
• WEBgithub.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6
• WEBgithub.com/vercel/next.js/releases/tag/v15.5.13
• WEB