Next.js: Null Origin Can Bypass Server Actions Security Checks

Summary

A security issue in Next.js allows malicious requests from certain hidden contexts to impersonate a legitimate user's actions. This could lead to unauthorized changes being made on a site using Next.js. To protect against this, consider adding extra security measures such as CSRF tokens or using strict authentication cookies.

What to do

Update next to version 16.1.7.
Update vercel-release-bot next to version 16.1.7.

Affected software

Vendor	Product	Affected versions	Fix available
–	next	> 16.0.1 , <= 16.1.7	16.1.7
vercel-release-bot	next	> 16.0.1 , <= 16.1.7	16.1.7

Original title

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action ...

Original description

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.

ghsa CVSS4.0 5.3

Vulnerability type

CWE-352 Cross-Site Request Forgery (CSRF)