CVE-2026-27977 is a vulnerability in the Next.js React framework, specifically in its development mode WebSocket implementation used for Hot Module Replacement (HMR). In versions from 16.0.1 up to but excluding 16.1.7, the internal WebSocket endpoint responsible for HMR did not correctly validate the 'Origin' header for incoming connections. The vulnerability arises because the server treats an 'Origin: null' header as a bypass of cross-site origin checks, even when the 'allowedDevOrigins' configuration is set to restrict origins. This means that privacy-sensitive or opaque contexts, such as sandboxed iframes or attacker-controlled pages that send 'Origin: null', can connect to the dev server's WebSocket endpoint unexpectedly. If the development server is exposed to untrusted networks or the internet, an attacker could connect to the HMR WebSocket channel, potentially intercepting or manipulating development-time WebSocket traffic. This could lead to leakage of sensitive development data or interference with the development process. The vulnerability is limited to development mode and does not affect production builds or deployments. The fix, introduced in Next.js version 16.1.7, enforces proper validation of 'Origin: null' headers by applying the same origin-allowance checks used for other origins. Until upgrading, mitigations include not exposing the development server to untrusted networks and blocking WebSocket upgrade requests with 'Origin: null' at the proxy level. The CVSS 4.0 score is 2.3, reflecting low severity due to limited impact, the requirement for user interaction, and the vulnerability being restricted to development mode. No known exploits have been reported in the wild.

The impact of CVE-2026-27977 is primarily limited to development environments using vulnerable versions of Next.js. If a development server is exposed to attacker-controlled content or untrusted networks, an attacker could connect to the internal HMR WebSocket channel by exploiting the missing origin validation. This could allow the attacker to observe or manipulate development-time WebSocket traffic, potentially leaking sensitive information such as source code, environment variables, or other development artifacts. However, since this vulnerability only affects development mode and not production deployments, the risk to live applications and end users is minimal. The vulnerability could disrupt the developer workflow or compromise the confidentiality of development data. Organizations that expose development servers publicly or do not restrict access to trusted networks are at higher risk. Overall, the impact is low for most organizations, but it could be more significant in environments where development servers are accessible externally or where sensitive data is handled during development.

1. Upgrade Next.js to version 16.1.7 or later, where the vulnerability is fixed by proper origin validation. 2. Ensure that development servers running 'next dev' are not exposed to untrusted networks or the public internet. Restrict access to trusted internal networks only. 3. Configure network-level controls such as firewalls or reverse proxies to block WebSocket upgrade requests to '/_next/webpack-hmr' endpoints when the 'Origin' header is 'null'. 4. If immediate upgrade is not possible, implement strict access controls and monitoring on development servers to detect unauthorized WebSocket connections. 5. Educate developers about the risks of exposing development servers and enforce policies to avoid public exposure. 6. Review and configure the 'allowedDevOrigins' setting carefully to restrict allowed origins and prevent unauthorized connections. 7. Regularly audit development environments for exposure and apply security best practices to isolate development infrastructure from untrusted sources.