Next.js, a popular React framework for full-stack web applications, had a CSRF vulnerability identified as CVE-2026-27978 affecting versions from 16.0.1 up to but not including 16.1.7. The root cause was the improper handling of the 'origin' header during Server Action CSRF validation. Specifically, requests with 'origin: null'—which occur in opaque contexts such as sandboxed iframes—were treated as if the origin was missing, allowing these requests to bypass origin verification checks. This flaw permitted attackers to craft malicious web pages that, when visited by a victim, could submit Server Actions from sandboxed contexts without proper origin validation. Such actions could change application state or perform sensitive operations using the victim's credentials, effectively enabling CSRF attacks. The vulnerability was addressed in Next.js 16.1.7 by treating 'null' as a valid origin value and enforcing strict host/origin checks unless 'null' is explicitly allowlisted in the experimental.serverActions.allowedOrigins configuration. This fix ensures that requests from opaque origins are either blocked or explicitly permitted with additional protections. If immediate upgrading is not feasible, developers are advised to implement CSRF tokens on sensitive Server Actions, use SameSite=Strict on authentication cookies to limit cross-site cookie transmission, and avoid allowing 'null' in allowed origins unless necessary and secured. The CVSS 4.0 vector indicates the attack is network-based, requires no privileges or authentication, but does require user interaction, with a medium impact on integrity and low impact on confidentiality and availability.

This vulnerability allows attackers to perform CSRF attacks against applications using vulnerable Next.js versions, potentially causing unauthorized state changes such as modifying user data, performing transactions, or altering application settings under the victim's session. Since the attack exploits the browser's trust in the user's credentials and session cookies, it can lead to compromised user accounts and unauthorized operations without the victim's explicit consent. The impact is particularly significant for applications handling sensitive data or critical operations, as attackers can manipulate server-side actions that rely on Server Actions. While the vulnerability does not directly expose confidential data or cause denial of service, the integrity of application state and user trust can be severely undermined. Organizations relying on Next.js for web applications face risks of reputational damage, regulatory non-compliance, and potential financial loss if exploited. The medium CVSS score reflects the moderate severity due to the requirement of user interaction and the limited scope of impact to integrity rather than confidentiality or availability.

1. Upgrade all Next.js applications to version 16.1.7 or later, which includes the fix treating 'null' as an explicit origin and enforcing strict origin checks. 2. For environments where immediate upgrading is not possible, implement CSRF tokens on all sensitive Server Actions to ensure requests are validated beyond origin headers. 3. Configure authentication cookies with the SameSite=Strict attribute to prevent them from being sent with cross-origin requests, reducing CSRF risk. 4. Review and restrict the experimental.serverActions.allowedOrigins configuration to disallow 'null' unless absolutely necessary, and if allowed, ensure additional protections such as token validation are in place. 5. Conduct thorough security testing of Server Actions, especially those that change state or perform sensitive operations, to verify that CSRF protections are effective. 6. Educate developers about the risks of opaque origins and the importance of strict origin validation in web applications. 7. Monitor application logs for unusual Server Action requests originating from unexpected contexts or origins. 8. Employ Content Security Policy (CSP) headers to restrict iframe embedding and sandboxing where possible, reducing attack surface for opaque origin exploitation.