SB2026031727 - Multiple vulnerabilities in Next.js
Published: March 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-29057)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted DELETE/OPTIONS HTTP request using Transfer-Encoding: chunked to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
2) Resource management error (CVE-ID: CVE-2026-27979)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when handling HTTP requests with "next-resume: 1" HTTP header. A remote attacker can send large HTTP POST payloads to the application and to trigger excessive memory usage and cause a denial of service condition.
3) Missing Origin Validation in WebSockets (CVE-ID: CVE-2026-27977)
CWE-ID: CWE-1385 - Missing Origin Validation in WebSockets
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform CSRF attacks.
The vulnerability exists due to incorrect handling of "Origin: null". A remote attacker can bypass dev HMR websocket CSRF checks.
4) Cross-site request forgery (CVE-ID: CVE-2026-27978)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to the "origin: null" is treated as a "missing" origin during Server Action CSRF validation. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
5) Resource exhaustion (CVE-ID: CVE-2026-27980)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the image optimization disk cache (/_next/image) does not have a configurable upper bound, allowing unbounded cache growth. A remote attacker can generate multiple unique image-optimization variants and exhaust disk space leading to a denial of service condition.
Remediation
Install update from vendor's website.
References
- https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8
- https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq
- https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36
- https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx
- https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8