Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN313
_____________________________________________________________________

DATE                : 18/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Next.js versions prior to 16.1.7,
                                     15.5.13.

=====================================================================
https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8
https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx
https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36
https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq
https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8
_____________________________________________________________________


Unbounded next/image disk cache growth can exhaust storage
Moderate
ztanner published GHSA-3x4c-7xq6-9pq8 Mar 16, 2026

Package
next (npm)

Affected versions
>=10.0.0

Patched versions
16.1.7


Description

Summary

The default Next.js image optimization disk cache (/_next/image) did not
have a configurable upper bound, allowing unbounded cache growth.
Impact

An attacker could generate many unique image-optimization variants and
exhaust disk space, causing denial of service.
Patches

Fixed by adding an LRU-backed disk cache with images.maximumDiskCacheSize,
including eviction of least-recently-used entries when the limit is
exceeded. Setting maximumDiskCacheSize: 0 disables disk caching.


Workarounds

If upgrade is not immediately possible:

    Periodically clean .next/cache/images.
    Reduce variant cardinality (e.g., tighten values for
images.localPatterns, images.remotePatterns, and images.qualities)


Severity
Moderate
6.9/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability Low
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVE ID
CVE-2026-27980

Weaknesses
Weakness CWE-400 

_____________________________________________________________________


null origin can bypass Server Actions CSRF checks
Moderate
ztanner published GHSA-mq59-m269-xvcx Mar 16, 2026

Package
next (npm)

Affected versions
>=16.0.1

Patched versions
16.1.7


Description

Summary

origin: null was treated as a "missing" origin during Server Action CSRF
validation. As a result, requests from opaque contexts (such as
sandboxed iframes) could bypass origin verification instead of being
validated as cross-origin requests.
Impact

An attacker could induce a victim browser to submit Server Actions from a
sandboxed context, potentially executing state-changing actions with
victim credentials (CSRF).
Patches

Fixed by treating 'null' as an explicit origin value and enforcing
host/origin checks unless 'null' is explicitly allowlisted in
experimental.serverActions.allowedOrigins.


Workarounds

If upgrade is not immediately possible:

    Add CSRF tokens for sensitive Server Actions.
    Prefer SameSite=Strict on sensitive auth cookies.
    Do not allow 'null' in serverActions.allowedOrigins unless intentionally
required and additionally protected.


Severity
Moderate
5.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction Passive
Vulnerable System Impact Metrics
Confidentiality None
Integrity Low
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

CVE ID
CVE-2026-27978

Weaknesses
Weakness CWE-352

_____________________________________________________________________


null origin can bypass dev HMR websocket CSRF checks
Low
ztanner published GHSA-jcc7-9wpm-mj36 Mar 16, 2026

Package
next (npm)

Affected versions
>=16.0.1

Patched versions
16.1.7


Description

Summary

In next dev, cross-site protection for internal websocket endpoints could
treat Origin: null as a bypass case even if allowedDevOrigins is
configured, allowing privacy-sensitive/opaque contexts (for example
sandboxed documents) to connect unexpectedly.


Impact

If a dev server is reachable from attacker-controlled content, an attacker
may be able to connect to the HMR websocket channel and interact with dev
websocket traffic. This affects development mode only.


Apps without a configured allowedDevOrigins still allow connections from
any origin.


Patches

Fixed by validating Origin: null through the same cross-site
origin-allowance checks used for other origins.


Workarounds

If upgrade is not immediately possible:

    Do not expose next dev to untrusted networks.
    Block websocket upgrades to /_next/webpack-hmr when Origin is null at
your proxy.

Severity
Low
2.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction Passive
Vulnerable System Impact Metrics
Confidentiality Low
Integrity Low
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CVE ID
CVE-2026-27977

Weaknesses
Weakness CWE-1385

Credits

    @radu33 radu33 Finder
    @xdavidhu xdavidhu Finder


_____________________________________________________________________


Unbounded postponed resume buffering can lead to DoS
Moderate
ztanner published GHSA-h27x-g6w4-24gq Mar 16, 2026

Package
next (npm)

Affected versions
>=16.1.0

Patched versions
16.1.7


Description

Summary

A request containing the next-resume: 1 header (corresponding with a
PPR resume request) would buffer request bodies without consistently
enforcing maxPostponedStateSize in certain setups. The previous
mitigation protected minimal-mode deployments, but equivalent
non-minimal deployments remained vulnerable to the same unbounded
postponed resume-body buffering behavior.


Impact

In applications using the App Router with Partial Prerendering
capability enabled (via experimental.ppr or cacheComponents), an
attacker could send oversized next-resume POST payloads that were
buffered without consistent size enforcement in non-minimal deployments,
causing excessive memory usage and potential denial of service.


Patches

Fixed by enforcing size limits across all postponed-body buffering
paths and erroring when limits are exceeded.


Workarounds

If upgrade is not immediately possible:

    Block requests containing the next-resume header, as this is never
valid to be sent from an untrusted client.

Severity
Moderate
6.9/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability Low
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVE ID
CVE-2026-27979

Weaknesses
Weakness CWE-770 

_____________________________________________________________________


HTTP request smuggling in rewrites
Moderate
ztanner published GHSA-ggv3-7p47-pfv8 Mar 16, 2026

Package
next (npm)

Affected versions
>=9.5.0

Patched versions
16.1.7, 15.5.13


Description

Summary

When Next.js rewrites proxy traffic to an external backend, a crafted
DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger
request boundary disagreement between the proxy and backend. This could
allow request smuggling through rewritten routes.


Impact

An attacker could smuggle a second request to unintended backend routes
(for example, internal/admin endpoints), bypassing assumptions that only
the configured rewrite destination/path is reachable. This does not impact
applications hosted on providers that handle rewrites at the CDN level,
such as Vercel.


Patches

The vulnerability originated in an upstream library vendored by Next.js. It
is fixed by updating that dependency’s behavior so content-length: 0 is
added only when both content-length and transfer-encoding are absent, and
transfer-encoding is no longer removed in that code path.


Workarounds

If upgrade is not immediately possible:

    Block chunked DELETE/OPTIONS requests on rewritten routes at your
edge/proxy.
    Enforce authentication/authorization on backend routes per our security
guidance.


Severity
Moderate
6.3/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality Low
Integrity Low
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CVE ID
CVE-2026-29057

Weaknesses
Weakness CWE-444 


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================