cbcvebase.
CVE-2026-44578
published 2026-05-13

CVE-2026-44578: Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in…

PriorityP276high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
38.70%
98.4th percentile
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.

Affected

14 ranges
VendorProductVersion rangeFixed in
mozillafirefox
mozillathunderbird
nextnext
nextnext>= 13.4.13 < 15.5.1615.5.16
nextnext>= 16.0.0 < 16.2.516.2.5
rhelai3bootc-cuda-rhel9
rhelai3bootc-gaudi-rhel9
rhelai3bootc-rocm-rhel9
rhelai3disk-image-cuda-rhel9
rhtasrekor-search-ui-rhel9
vercelnext.js
vercelnext.js
vercelnext.js>= 13.4.13 < 15.5.1615.5.16
vercelnext.js>= 16.0.0 < 16.2.516.2.5

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://169.254.169.254/metadata/v1.json
urlhttp://169.254.169.254/latest/meta-data/
urlhttp://metadata.google.internal/computeMetadata/v1/instance/?recursive=true
otherConnection: Upgrade / Upgrade: websocket (WebSocket upgrade request pattern)
otherMetadata-Flavor: Google
  • Detect exploitation attempts by monitoring for HTTP/1.1 WebSocket upgrade requests (Connection: Upgrade, Upgrade: websocket) where the request path or Host header contains internal/cloud metadata addresses such as 169.254.169.254 or metadata.google.internal, indicating SSRF abuse of the Next.js built-in Node.js server.
  • Use the Shodan query 'http.component:"Next.js"' to identify internet-exposed Next.js instances potentially vulnerable to this SSRF via WebSocket upgrade.
  • The exploit is only applicable to self-hosted Next.js deployments using the built-in Node.js server; Vercel-hosted deployments are not affected. Scope detection rules accordingly.
  • ·Affected version range is Next.js 13.4.13 up to (but not including) 15.5.16 and 16.2.5; both fix branches must be checked when assessing deployed versions.
  • ·Vulnerability is exclusive to self-hosted deployments using the built-in Node.js server; cloud-managed (Vercel) deployments are not in scope for this CVE.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vendor_redhat8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.