From 15e267a78b24af7f5f0a4a143a0391b318681d13 Mon Sep 17 00:00:00 2001
From: Pini Shvartsman <7192105+PiniShv@users.noreply.github.com>
Date: Mon, 13 Apr 2026 23:01:58 +0300
Subject: [PATCH] GHSA-ggv3-7p47-pfv8: add missing CVSS 3.1 score from NVD

---
 .../2026/03/GHSA-ggv3-7p47-pfv8/GHSA-ggv3-7p47-pfv8.json  | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/advisories/github-reviewed/2026/03/GHSA-ggv3-7p47-pfv8/GHSA-ggv3-7p47-pfv8.json b/advisories/github-reviewed/2026/03/GHSA-ggv3-7p47-pfv8/GHSA-ggv3-7p47-pfv8.json
index ada868c1012c3..54eb1c36481d2 100644
--- a/advisories/github-reviewed/2026/03/GHSA-ggv3-7p47-pfv8/GHSA-ggv3-7p47-pfv8.json
+++ b/advisories/github-reviewed/2026/03/GHSA-ggv3-7p47-pfv8/GHSA-ggv3-7p47-pfv8.json
@@ -7,11 +7,15 @@
     "CVE-2026-29057"
   ],
   "summary": "Next.js: HTTP request smuggling in rewrites",
-  "details": "## Summary\nWhen Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.\n\n## Impact\nAn attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. \n\n## Patches\nThe vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path.\n\n## Workarounds\nIf upgrade is not immediately possible:\n- Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your edge/proxy.\n- Enforce authentication/authorization on backend routes per our [security guidance](https://nextjs.org/docs/app/guides/data-security).",
+  "details": "## Summary\nWhen Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.\n\n## Impact\nAn attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. \n\n## Patches\nThe vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency's behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path.\n\n## Workarounds\nIf upgrade is not immediately possible:\n- Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your edge/proxy.\n- Enforce authentication/authorization on backend routes per our [security guidance](https://nextjs.org/docs/app/guides/data-security).",
   "severity": [
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+    },
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
     }
   ],
   "affected": [
@@ -89,4 +93,4 @@
     "github_reviewed_at": "2026-03-17T16:17:15Z",
     "nvd_published_at": "2026-03-18T01:16:05Z"
   }
-}
\ No newline at end of file
+}