CVE-2026-29057 Overview
CVE-2026-29057 is an HTTP Request Smuggling vulnerability affecting Next.js, the popular React framework for building full-stack web applications. The vulnerability exists in the rewrite proxy functionality and allows attackers to craft malicious DELETE/OPTIONS requests using Transfer-Encoding: chunked that cause request boundary disagreement between the proxy and backend servers.
When Next.js rewrites proxy traffic to an external backend, a specially crafted request can exploit inconsistencies in how the proxy and backend interpret request boundaries. This enables attackers to smuggle additional requests to unintended backend routes, potentially accessing internal or administrative endpoints that should not be directly reachable.
Critical Impact
Attackers can bypass intended routing restrictions and access internal/admin backend endpoints through request smuggling, potentially compromising application security boundaries.
Affected Products
- Vercel Next.js versions 9.5.0 through 15.5.12
- Vercel Next.js versions 16.0.0 through 16.1.6
- Self-hosted Next.js deployments using rewrites (Vercel-hosted applications using CDN-level rewrites are not affected)
Discovery Timeline
- 2026-03-18 - CVE-2026-29057 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-29057
Vulnerability Analysis
This vulnerability (CWE-444: Inconsistent Interpretation of HTTP Requests) arises from how Next.js handles HTTP headers when proxying rewritten requests. The issue originates in an upstream library (http-proxy) vendored by Next.js, which improperly handles the relationship between Content-Length and Transfer-Encoding headers.
When processing DELETE or OPTIONS requests with Transfer-Encoding: chunked, the proxy would add content-length: 0 while removing transfer-encoding in certain code paths. This creates a scenario where the Next.js proxy and the backend server interpret the same HTTP request differently, leading to request boundary desynchronization.
An attacker can exploit this desynchronization to "smuggle" a second, malicious request hidden within what appears to be a single legitimate request. The backend server may interpret the smuggled content as a separate request, potentially routing it to internal endpoints that were never intended to be exposed through the rewrite configuration.
Root Cause
The vulnerability originated in the vendored http-proxy library. Specifically, the proxy would modify request headers in a way that violated HTTP specification requirements around Content-Length and Transfer-Encoding header handling. The fix ensures that content-length: 0 is only added when bothcontent-length and transfer-encoding headers are absent, and prevents the removal of transfer-encoding in the problematic code path.
Attack Vector
The attack requires network access to a Next.js application that uses the rewrites feature to proxy traffic to an external backend. The attacker sends a specially crafted DELETE or OPTIONS HTTP request with Transfer-Encoding: chunked header. Due to the header handling inconsistency, a second malicious request can be embedded within the first, allowing access to backend routes that bypass the configured rewrite restrictions.
+diff --git a/lib/http-proxy/common.js b/lib/http-proxy/common.js
+index 6513e81d80d5250ea249ea833f819ece67897c7e..09143dd1fe4e67885f40ea916a6ea1ef3e3afa19 100644
+--- a/lib/http-proxy/common.js
++++ b/lib/http-proxy/common.js
+@@ -1,9 +1,9 @@
+ var common = exports,
+ url = require('url'),
+- extend = require('util')._extend,
+ required = require('requires-port');
+
+ var upgradeHeader = /(^|,)\s*upgrade\s*($|,)/i,
++ hopByHopTransferEncodingHeader = /(^|,)\s*transfer-encoding\s*($|,)/i,
+ isSSL = /^https|wss/;
+
+/**
+@@ -40,10 +40,10 @@ common.setupOutgoing = function(outgoing, options, req, forward) {
+ );
+
+ outgoing.method = options.method || req.method;
+- outgoing.headers = extend({}, req.headers);
++ outgoing.headers = Object.assign({}, req.headers);
+
+ if (options.headers){
+- extend(outgoing.headers, options.headers);
++ Object.assign(outgoing.headers, options.headers);
+ }
+
+ if (options.auth) {
+@@ -61,13 +61,22 @@ common.setupOutgoing = function(outgoing, options, req, forward) {
Source: GitHub Commit dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6
Detection Methods for CVE-2026-29057
Indicators of Compromise
- Unusual DELETE or OPTIONS requests with Transfer-Encoding: chunked targeting rewritten routes
- Backend logs showing requests to internal/admin endpoints that should not be accessible externally
- Requests containing multiple HTTP request patterns within a single connection
- Unexpected authentication bypass events on backend administrative endpoints
Detection Strategies
- Implement HTTP request logging at both the proxy and backend layers to detect boundary desynchronization
- Monitor for DELETE/OPTIONS requests with Transfer-Encoding: chunked to rewritten routes
- Configure Web Application Firewall (WAF) rules to detect and alert on potential request smuggling patterns
- Compare request counts between proxy and backend to identify smuggled requests
Monitoring Recommendations
- Enable detailed HTTP access logging on Next.js applications using rewrites
- Set up alerts for unexpected traffic to internal backend endpoints
- Monitor for anomalies in request method distribution, particularly DELETE and OPTIONS requests
- Review backend server logs for requests that bypass expected routing patterns
How to Mitigate CVE-2026-29057
Immediate Actions Required
- Upgrade Next.js to version 15.5.13 or 16.1.7 immediately
- Audit Next.js applications to identify those using the rewrites feature with external backends
- Review backend access logs for signs of previous exploitation attempts
- Implement edge/proxy-level blocking for chunked DELETE/OPTIONS requests on rewritten routes as an interim measure
Patch Information
Vercel has released security patches in Next.js versions 15.5.13 and 16.1.7. The fix updates the vendored http-proxy dependency behavior to ensure proper handling of Content-Length and Transfer-Encoding headers. For detailed patch information, refer to the GitHub Security Advisory GHSA-ggv3-7p47-pfv8 and the specific patch commit.
Workarounds
- Block chunked DELETE and OPTIONS requests on rewritten routes at the edge or proxy level
- Enforce authentication and authorization on all backend routes, including internal/admin endpoints
- Consider migrating to a CDN-based rewrite solution (such as Vercel's platform) where rewrites are handled at the CDN level
- Implement strict input validation for HTTP methods and headers at the application boundary
# Example nginx configuration to block chunked DELETE/OPTIONS on rewrite paths
location /api/rewrite/ {
# Block DELETE and OPTIONS requests with Transfer-Encoding: chunked
if ($request_method ~* "^(DELETE|OPTIONS)$") {
set $block_chunked "method";
}
if ($http_transfer_encoding ~* "chunked") {
set $block_chunked "${block_chunked}_chunked";
}
if ($block_chunked = "method_chunked") {
return 403;
}
# Normal proxy pass configuration
proxy_pass http://backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
