CVE-2026-44578
published 2026-05-13CVE-2026-44578: Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in…
PriorityP276high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
38.70%
98.4th percentile
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | — | — |
| mozilla | thunderbird | — | — |
| next | next | — | — |
| next | next | >= 13.4.13 < 15.5.16 | 15.5.16 |
| next | next | >= 16.0.0 < 16.2.5 | 16.2.5 |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhtas | rekor-search-ui-rhel9 | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | >= 13.4.13 < 15.5.16 | 15.5.16 |
| vercel | next.js | >= 16.0.0 < 16.2.5 | 16.2.5 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://169.254.169.254/metadata/v1.json
urlhttp://169.254.169.254/latest/meta-data/
urlhttp://metadata.google.internal/computeMetadata/v1/instance/?recursive=true
otherConnection: Upgrade / Upgrade: websocket (WebSocket upgrade request pattern)
otherMetadata-Flavor: Google
- →Detect exploitation attempts by monitoring for HTTP/1.1 WebSocket upgrade requests (Connection: Upgrade, Upgrade: websocket) where the request path or Host header contains internal/cloud metadata addresses such as 169.254.169.254 or metadata.google.internal, indicating SSRF abuse of the Next.js built-in Node.js server. ↗
- →Use the Shodan query 'http.component:"Next.js"' to identify internet-exposed Next.js instances potentially vulnerable to this SSRF via WebSocket upgrade.
- →The exploit is only applicable to self-hosted Next.js deployments using the built-in Node.js server; Vercel-hosted deployments are not affected. Scope detection rules accordingly. ↗
- ·Affected version range is Next.js 13.4.13 up to (but not including) 15.5.16 and 16.2.5; both fix branches must be checked when assessing deployed versions. ↗
- ·Vulnerability is exclusive to self-hosted deployments using the built-in Node.js server; cloud-managed (Vercel) deployments are not in scope for this CVE.
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vendor_redhat8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
vercel next.js up to 15.5.15/16.2.4 WebSocket server-side request forgery (GHSA-c4j6-fc7j-m34r)
vuldb·2026-05-13·CVSS 8.6
CVE-2026-44578 [HIGH] vercel next.js up to 15.5.15/16.2.4 WebSocket server-side request forgery (GHSA-c4j6-fc7j-m34r)
A vulnerability, which was classified as critical, has been found in vercel next.js up to 15.5.15/16.2.4. This affects an unknown function of the component WebSocket Handler. This manipulation causes server-side request forgery.
The identification of this vulnerability is CVE-2026-44578. It is possible to initiate the attack remotely. There is no exploit available.
It is advisable to upgrade the affected component.
GHSA
Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades
ghsa·2026-05-11
CVE-2026-44578 [HIGH] CWE-918 Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades
Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades
### Impact
Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected.
### Fix
We now apply the same safety checks to WebSocket upgrade handling that already existed for normal HTTP requests, so upgrade requests are only proxied when routing has explicitly marked them as safe external rewrites.
### Workarounds
If you cannot upgrade immediately, do not expose the origin server directly to untrusted net
Red Hat
Next.js: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests
vendor_redhat·2026-05-13·CVSS 8.6
CVE-2026-44578 [HIGH] CWE-918 Next.js: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests
Next.js: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests
A flaw was found in Next.js. Self-hosted applications utilizing the built-in Node.js server are vulnerable to Server-Side Request Forgery (SSRF) through specially crafted WebSocket upgrade requests. A remote attacker can exploit this by causing the server to proxy requests to arbitrary internal or external destinations. This could lead to the exposure of internal services or sensitive cloud metadata endpoints.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: firefox (Red Hat Enterprise Linux 10) - Aff
No detection rules found.
Nuclei
Next.js WebSocket Upgrade Handler - SSRF
nuclei·CVSS 8.6
CVE-2026-44578 [HIGH] Next.js WebSocket Upgrade Handler - SSRF
Next.js WebSocket Upgrade Handler - SSRF
Next.js 13.4.13 to before 15.5.16 and 16.2.5 contains a server-side request forgery caused by crafted WebSocket upgrade requests in the built-in Node.js server, letting attackers proxy requests to arbitrary destinations, exploit requires self-hosted deployment.
Template:
id: CVE-2026-44578
info:
name: Next.js WebSocket Upgrade Handler - SSRF
author: hacktron,DhiyaneshDk
severity: high
description: |
Next.js 13.4.13 to before 15.5.16 and 16.2.5 contains a server-side request forgery caused by crafted WebSocket upgrade requests in the built-in Node.js server, letting attackers proxy requests to arbitrary destinations, exploit requires self-hosted deployment.
impact: |
Attackers can proxy requests to internal or external services, exposing sensitiv
Hackernews
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
blogs_hackernews·2026-05-18·CVSS 6.1
CVE-2026-42897 [MEDIUM] ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted.
The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off.
Patch the quiet risks first. Let’s g
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
Bugzilla
CVE-2026-44578 mozjs128: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
bugzilla·2026-06-02·CVSS 8.6
CVE-2026-44578 [HIGH] CVE-2026-44578 mozjs128: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
CVE-2026-44578 mozjs128: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44578 mozjs140: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
bugzilla·2026-06-02·CVSS 8.6
CVE-2026-44578 [HIGH] CVE-2026-44578 mozjs140: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
CVE-2026-44578 mozjs140: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44578 icecat: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
bugzilla·2026-06-02·CVSS 8.6
CVE-2026-44578 [HIGH] CVE-2026-44578 icecat: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
CVE-2026-44578 icecat: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44578 conky: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
bugzilla·2026-06-02·CVSS 8.6
CVE-2026-44578 [HIGH] CVE-2026-44578 conky: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
CVE-2026-44578 conky: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44578 firefox: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
bugzilla·2026-06-02·CVSS 8.6
CVE-2026-44578 [HIGH] CVE-2026-44578 firefox: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
CVE-2026-44578 firefox: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44578 thunderbird: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
bugzilla·2026-06-02·CVSS 8.6
CVE-2026-44578 [HIGH] CVE-2026-44578 thunderbird: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
CVE-2026-44578 thunderbird: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44578 conky: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [epel-all]
bugzilla·2026-06-02·CVSS 8.6
CVE-2026-44578 [HIGH] CVE-2026-44578 conky: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [epel-all]
CVE-2026-44578 conky: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44578 Next.js: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests
bugzilla·2026-05-13·CVSS 8.6
CVE-2026-44578 [HIGH] CVE-2026-44578 Next.js: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests
CVE-2026-44578 Next.js: Next.js: Server-Side Request Forgery via crafted WebSocket upgrade requests
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
2026-05-13
Published