Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit ff95e5f3701c · 2026-03-17T15:31:46.000Z
GHSA-jcc7-9wpm-mj36 GHSA-mq59-m269-xvcx
diff --git a/advisories/github-reviewed/2026/03/GHSA-jcc7-9wpm-mj36/GHSA-jcc7-9wpm-mj36.json b/advisories/github-reviewed/2026/03/GHSA-jcc7-9wpm-mj36/GHSA-jcc7-9wpm-mj36.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jcc7-9wpm-mj36",
+  "modified": "2026-03-17T15:29:48Z",
+  "published": "2026-03-17T15:29:48Z",
+  "aliases": [
+    "CVE-2026-27977"
+  ],
+  "summary": "Next.js: null origin can bypass dev HMR websocket CSRF checks",
+  "details": "## Summary\nIn `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly.\n\n## Impact\nIf a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only.\nApps without a configured [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) still allow connections from any origin.\n\n## Patches\nFixed by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins.  \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Do not expose `next dev` to untrusted networks.\n- Block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at your proxy.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "16.0.1"
+            },
+            {
+              "fixed": "16.1.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vercel/next.js"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/releases/tag/v16.1.7"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1385"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-17T15:29:48Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-mq59-m269-xvcx/GHSA-mq59-m269-xvcx.json b/advisories/github-reviewed/2026/03/GHSA-mq59-m269-xvcx/GHSA-mq59-m269-xvcx.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mq59-m269-xvcx",
+  "modified": "2026-03-17T15:30:14Z",
+  "published": "2026-03-17T15:30:14Z",
+  "aliases": [
+    "CVE-2026-27978"
+  ],
+  "summary": "Next.js: null origin can bypass Server Actions CSRF checks",
+  "details": "## Summary\n`origin: null` was treated as a \"missing\" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.\n\n## Impact\nAn attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).\n\n## Patches\nFixed by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`.  \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Add CSRF tokens for sensitive Server Actions.\n- Prefer `SameSite=Strict` on sensitive auth cookies.\n- Do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "16.0.1"
+            },
+            {
+              "fixed": "16.1.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vercel/next.js"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/releases/tag/v16.1.7"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-17T15:30:14Z",
+    "nvd_published_at": null
+  }
+}
