Skip to content

Origin: null can bypass allowedDevOrigins protections for internal dev endpoints

Moderate
ztanner published GHSA-jcc7-9wpm-mj36 Mar 16, 2026

Package

npm next (npm)

Affected versions

>=16.0.1

Patched versions

16.1.7

Description

Summary

In next dev, cross-site protections for internal development endpoints could treat Origin: null as a bypass case even when allowedDevOrigins is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.

Impact

If a developer visits attacker-controlled content while running an affected next dev server with allowedDevOrigins configured, attacker-controlled browser code may be able to connect to internal development endpoints and interact with sensitive dev-server functionality that should have remained blocked.

This issue affects development mode only. It does not affect next start, and it does not expose internal debugging functionality to the network by default.

Patches

Fixed by validating Origin: null through the same cross-site origin-allowance checks used for other origins on internal development endpoints.

Workarounds

If upgrade is not immediately possible:

  • Do not expose next dev to untrusted networks.
  • If you use allowedDevOrigins, reject requests and websocket upgrades with Origin: null for internal dev endpoints at your proxy.

Severity

Moderate

CVE ID

CVE-2026-27977

Weaknesses

Missing Origin Validation in WebSockets

The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. Learn more on MITRE.

Credits