HTTP Request Smuggling Affecting keep-fips package, versions <0.51.0-r1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CHAINGUARDLATEST-KEEPFIPS-15724907
- published21 Mar 2026
- disclosed18 Mar 2026
Introduced: 18 Mar 2026
CVE-2026-29057 (opens in a new tab)How to fix?
Upgrade Chainguard keep-fips to version 0.51.0-r1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream keep-fips package and not the keep-fips package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in an upstream library vendored by Next.js. It is fixed in Next.js 15.5.13 and 16.1.7 by updating that dependency’s behavior so content-length: 0 is added only when both content-length and transfer-encoding are absent, and transfer-encoding is no longer removed in that code path. If upgrading is not immediately possible, block chunked DELETE/OPTIONS requests on rewritten routes at the edge/proxy, and/or enforce authentication/authorization on backend routes.