GHSA-JCC7-9WPM-MJ36 Next.js: null origin can bypass dev HMR websocket CSRF checks
Summary In next dev, cross-site protections for internal development endpoints could treat Origin: null as a bypass case even when allowedDevOrigins is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server...