FIND-20260325-003 · 2026-03-25 · Innovation Veille

Next.js 16.2.1 released: 3 CVEs patched including HTTP proxy request smuggling

release HIGH
Next.js 16.2.1 was released on March 20, 2026 as a security patch over 16.2.0. Three CVEs were addressed: CVE-2026-29057 (HTTP proxy request smuggling in rewrites), CVE-2026-27979 (maxPostponedStateSize enforcement bypass), and CVE-2026-27978 (Server Action submissions from privacy-sensitive contexts). The 16.2 line also introduced Turbopack improvements with 200+ bug fixes and ~400% faster dev startup.

Source

https://github.com/vercel/next.js/releases/tag/v16.2.1

ODS Impact

ODS Dashboard (ods-dashboard service) is built on Next.js 16.2.0. Upgrade to 16.2.1 immediately — CVE-2026-29057 (request smuggling) is directly exploitable in apps using Next.js rewrites or proxies, which is the case for ODS Dashboard's Hono proxy layer.

Security Review

License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

nextjs security cve release request-smuggling ods-dashboard
Generated by ODS Innovation Veille · 2026-03-25T07:05:14+00:00