FIND-20260409-002 · 2026-04-09 · Innovation Veille
Next.js 16.2.3 — Security patch for CVE-2026-29057 (http-proxy smuggling) and CVE-2026-27979
release
HIGH
Next.js 16.2.3 was released April 8 2026 as a security-focused backport. It patches CVE-2026-29057 (request smuggling via http-proxy in rewrites) and CVE-2026-27979 (maxPostponedStateSize enforcement bypass). The 16.2 minor also includes major DX improvements: ~400% faster dev startup, 25-60% faster server rendering (React RSC payload deserialization rewrite), Turbopack as stable default, and new Adapters API for platforms. ODS Dashboard currently targets Next.js 16.x.
Source
https://github.com/vercel/next.js/releases/tag/v16.2.3
ODS Impact
ODS Dashboard (Next.js + Hono monorepo on srv-staging) should upgrade to 16.2.3 immediately due to the http-proxy smuggling CVE. If ODS Dashboard uses rewrites with an upstream proxy, the vulnerability is directly exploitable. Run 'npm install next@16.2.3' in the ods-dashboard repo and re-deploy. The 400% faster dev startup and 50% rendering speed gains are also directly beneficial.
Security Review
License: MIT | Maintenance: ACTIVE | Risk: LOW | Recommendation: SAFE_TO_USE
Tags
nextjs
react
cve
security
release
ods-dashboard
frontend