CVE-2026-29057 and CVE-2026-27980: Two New Vulnerabilities Affecting End-of-Life Next.js

HeroDevs has patched two medium-severity vulnerabilities affecting multiple versions of end-of-life (EOL) Next.js. These vulnerabilities have been remediated in HeroDevs Never Ending Support (NES) for Next.js, ensuring that even EOL versions of the framework remain secure.

‍

The Reality of Open Source Security and EOL

In the open-source world, security is a community effort. When a vulnerability is discovered, projects and communities typically act quickly to fix, provide a patch, and disclose the vulnerability. However, this support doesn't last forever.

When a project or a version reaches EOL there’s no more maintenance. This means:

• No more feature updates.
• No more bug fixes.
• Crucially, no more security patches for new vulnerabilities.

For Next.js, only major versions 15.x and 16.x are under long-term support (LTS). This means that previous versions are all EOL. If your application runs on any of these versions and a new CVE is disclosed, the official Next.js project will not produce a fix for your version. You are on your own.

‍

This creates an enormous challenge for enterprises. Large organizations often do not plan ahead for every software component and cannot migrate framework versions on short notice. For example, refactoring a production application from Next.js 12 to Next.js 15 could take months of engineering effort and regression testing. The result? Thousands of production applications sitting on EOL versions of Next.js This means unpatched and exposed.

‍

The Danger of Denial of Service (DoS) Attacks

Before examining specific CVEs, it's important to understand why DoS vulnerabilities represent a serious risk to organizations of all sizes.

‍

DoS attacks are particularly risky because they can take an entire business offline. A DoS attack targets the availability pillar of the CIA security triad (Confidentiality, Integrity, Availability). The goal is not to steal data, but to render a service completely unusable by overwhelming it with traffic or sending data that causes applications to hang, crash, or consume resources indefinitely. This leads to lost revenue, damaged reputation, and operational chaos.

‍

Two Real-World Vulnerabilities HeroDevs Fixed for EOL Next.js

1. CVE-2026-29057: HTTP Request Smuggling in Next.js

• What happened: The vulnerability occurs when Next.js rewrites proxy traffic to an external backend server.

• The EOL Risk: This is a medium-severity vulnerability found in Next.js versions 9.5.0 to versions prior to 15.5.13 and 16.0.0-beta.0 to versions prior to 16.1.7. 

• How it can be exploited: An attacker can send a crafted DELETE or OPTIONS request using Transfer-Encoding: chunked. Due to a disagreement in how the proxy and backend interpret request boundaries, the attacker can "smuggle" a second request into the body. The backend processes the smuggled request as if it were a separate, legitimate request, potentially reaching internal routes not intended to be publicly accessible. The downstream impact depends on what those routes expose. Possibilities include access control bypass, data exposure, or interference with other users' requests..

‍

This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.

‍

2. CVE-2026-27980: Unbounded Image Optimization Disk Cache

• What happened: Next.js uses an image optimization endpoint (/_next/image) that caches files on disk. However, older versions lacked a cap on this cache. Because there was no limit on how large this cache could grow, the disk was essentially open-ended storage for any cached image variant.

• The EOL Risk: This medium-severity DoS vulnerability affects Next.js versions 10.0.0 to versions prior to 16.1.7.

• How it can be exploited: An attacker can automate thousands of requests to /_next/image with slightly different width (w) and quality (q) parameters. Each unique combination of source image URL, width, and quality generates a separate cached file that persists indefinitely. This causes the server's disk space to fill up completely, crashing the application and making it unavailable to users, effectively DoS.

‍

HeroDevs Never Ending Support (NES): The Answer to the EOL Gap

For many enterprises, upgrading a massive codebase to the latest major version isn't always feasible in the short term. This is where HeroDevs NES comes in. HeroDevs provides secure, compliant, and supported versions of EOL software. By identifying vulnerabilities or when a new CVE is disclosed in LTS versions of Next.js, HeroDevs backports, tests, and provides those fixes for EOL versions, ensuring your stack remains secure.

‍

Here's how the NES process works for newly disclosed vulnerabilities:

1. When a new CVE is disclosed in an LTS version of Next.js (such as 15.x or 16.x), HeroDevs evaluates whether the same vulnerability exists in EOL versions.

2. If it does, HeroDevs backports the fix, adapting the patch to the older codebase and rigorously testing it to ensure compatibility and stability.

3. A new patched NES release is issued to customers running EOL versions, typically in lockstep with the upstream disclosure timeline.

4. Customers apply the patch with a simple package update, no code changes, no migration risk.

‍

Staying on EOL software is a gamble with your organization's security. While the community moves forward to Next.js 15 and 16, HeroDevs ensures that those who aren't ready to move yet don't have to leave their doors unlocked and vulnerable. Whether it's preventing request smuggling or stopping disk-exhaustion DoS attacks, NES provides the safety net modern DevOps teams need.

‍

Want to learn more about NES for Next.js? Visit herodevs.com/support/next-js-nes and explore the full HeroDevs Vulnerability Directory

‍

FAQ

What is Next.js?

Next.js is a powerful open-source React framework that handles the hard parts of development when building production-grade web applications. By providing built-in solutions for server-side rendering (SSR), static site generation (SSG), and incremental static regeneration (ISR), it allows teams to create high-performance applications with ease.

How do I know if my application is running an EOL version of Next.js?

You can check your current Next.js version by running npm list next or inspecting the dependencies section of your package.json file. If the major version is anything earlier than 15.x, your application is running on an EOL version and will not receive official security patches from the Next.js project. HeroDevs NES supports a wide range of these older versions — visit herodevs.com/support/next-js-nes to see the full list of covered versions.

Are CVE-2026-29057 and CVE-2026-27980 being actively exploited?

There is no public evidence of active exploitation of these specific CVEs at the time of disclosure. CVE-2026-29057 requires no authentication, but exploitation is conditional. The target application must be configured with Next.js rewrites pointing to an external backend, and the attacker must craft a request with specific chunked encoding. CVE-2026-27980 is more straightforward to exploit and can be triggered by a script making repeated image requests. Organizations running affected EOL versions should treat these as urgent, even at medium severity. Waiting for confirmed exploitation before patching is a reactive posture that carries significant operational risk.

How does HeroDevs NES deliver patches? Do I need to refactor my code?

No code changes are required. NES patches are delivered as drop-in package updates. You simply update the package version in your project the same way you would any other dependency update. HeroDevs tests each patch for compatibility and stability against the target EOL version, so your application continues to behave as expected.