← back
CVE-2026-44578

Next.js: Server-side request forgery in applications using WebSocket upgrades

CVSS 8.6 HIGHEPSS 37.8%CWE-918
In short

Next.js applications using WebSocket upgrades can be tricked into making requests to internal or external servers that they shouldn't access, potentially exposing sensitive internal services or cloud metadata. This only affects self-hosted deployments, not those on Vercel.

Technical detail

Server-side request forgery (SSRF) vulnerability in Next.js versions 13.4.13 through 15.5.15 and 16.0.0 through 16.2.4 when using the built-in Node.js server. Attackers can craft malicious WebSocket upgrade requests to force the server to proxy HTTP/HTTPS requests to arbitrary destinations, bypassing network access controls and potentially retrieving sensitive metadata or internal service responses.

Summary generated and translated by AI from the official description.
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Affected products
vercel · next.js
public PoCs found8
githubgithub.com/ynsmroztas/nextssrf75githubgithub.com/dinosn/CVE-2026-445787githubgithub.com/love07oj/nextjs-cve-2026-445785githubgithub.com/GadaLuBau1337/CVE-2026-445781githubgithub.com/tocong282/CVE-2026-44578-PoC0githubgithub.com/0xBlackash/CVE-2026-445780githubgithub.com/BS2010-AirborneTroops/NEXT-SSRF0githubgithub.com/panchocosil/verify-ghsa-c4j6-fc7j-m34r0
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r