Red Hat CVE-2026-27977
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 47 npm packages depend on next (45 direct, 2 indirect)
Ecosystem-wide dependent count for version 16.0.1.
DescriptionGitHub Advisory
Summary
In next dev, cross-site protection for internal websocket endpoints could treat Origin: null as a bypass case even if allowedDevOrigins is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly.
Impact
If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured allowedDevOrigins still allow connections from any origin.
Patches
Fixed by validating Origin: null through the same cross-site origin-allowance checks used for other origins.
Workarounds
If upgrade is not immediately possible:
- Do not expose
next devto untrusted networks. - Block websocket upgrades to
/_next/webpack-hmrwhenOriginisnullat your proxy.
AnalysisAI
CVE-2026-27977 is a security vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Technical ContextAI
Vulnerability type not specified by vendor.
RemediationAI
Apply the vendor-supplied patch immediately.
Same weakness CWE-1385 – Missing Origin Validation in WebSockets
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-jcc7-9wpm-mj36