Next.js: Untrusted Networks Can Connect to Development Server

Summary

If you're running a Next.js development server on a network that's accessible to others, a malicious user could potentially connect to your development server and see sensitive information. This only happens in development mode, and it's fixed in the latest version of Next.js. To protect yourself in the meantime, keep your development server private or block access to the WebSocket upgrade at your network proxy.

What to do

Update next to version 16.1.7.
Update vercel-release-bot next to version 16.1.7.

Affected software

Vendor	Product	Affected versions	Fix available
–	next	> 16.0.1 , <= 16.1.7	16.1.7
vercel-release-bot	next	> 16.0.1 , <= 16.1.7	16.1.7

Original title

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints ...

Original description

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy.

ghsa CVSS4.0 2.3

Vulnerability type

CWE-1385