SB2026031727 - Multiple vulnerabilities in Next.js

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-29057)

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted DELETE/OPTIONS HTTP request using Transfer-Encoding: chunked to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

2) Resource management error (CVE-ID: CVE-2026-27979)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling HTTP requests with "next-resume: 1" HTTP header. A remote attacker can send large HTTP POST payloads to the application and to trigger excessive memory usage and cause a denial of service condition. 

3) Missing Origin Validation in WebSockets (CVE-ID: CVE-2026-27977)

The vulnerability allows a remote attacker to perform CSRF attacks.

The vulnerability exists due to incorrect handling of "Origin: null". A remote attacker can bypass dev HMR websocket CSRF checks.

4) Cross-site request forgery (CVE-ID: CVE-2026-27978)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to the "origin: null" is treated as a "missing" origin during Server Action CSRF validation. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

5) Resource exhaustion (CVE-ID: CVE-2026-27980)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the image optimization disk cache (/_next/image) does not have a configurable upper bound, allowing unbounded cache growth. A remote attacker can generate multiple unique image-optimization variants and exhaust disk space leading to a denial of service condition. 

Remediation

Install update from vendor's website.

References

• https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8
• https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq
• https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36
• https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx
• https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8