Vulnerability in Vercel Next.js

CVE-2026-29057

Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request usi…

Vulnerability class: HTTP Request Smuggling

EPSS: 0.000 (9.3th percentile) — read the EPSS interpretation.

Affected products

Vercel Next.js — versions >= 16.0.0-beta.0, < 16.1.7, >= 9.5.0, < 15.5.13

Weakness classification (CWE)

CWE-444 — Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

References

https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8 (x_refsource_CONFIRM)
https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6 (x_refsource_MISC)
https://github.com/vercel/next.js/releases/tag/v15.5.13 (x_refsource_MISC)
https://github.com/vercel/next.js/releases/tag/v16.1.7 (x_refsource_MISC)