Next.js Cross-Site WebSocket Connection Vulnerability in Development Mode

A vulnerability in Next.js versions 16.0.1 prior to 16.1.7 allows cross-site connections to internal WebSocket endpoints in development mode. The issue arises because the framework could incorrectly treat 'Origin: null' as a valid bypass, even when 'allowedDevOrigins' is set. This flaw enables privacy-sensitive contexts, such as sandboxed documents, to connect unexpectedly. As a result, if a development server is accessible from attacker-controlled content, an attacker might intercept and interact with the Hot Module Replacement (HMR) WebSocket traffic.

Impact

Exploitation of this vulnerability could allow an attacker to connect to the HMR WebSocket channel and manipulate development WebSocket traffic.

Reproduction

The vulnerability can be reproduced by starting a Next.js development server version 16.0.1 prior to 16.1.7 and accessing it from a context that does not provide a valid origin, such as a sandboxed iframe. This will bypass the cross-site protection for WebSocket connections, allowing interaction with the HMR WebSocket channel.

Remediation

Users can upgrade to Next.js version 16.1.7 or later, where this vulnerability is fixed. If an immediate upgrade is not possible, Next.js should not be exposed to untrusted networks, and WebSocket upgrades to '/_next/webpack-hmr' should be blocked at the proxy when the 'Origin' header is null.