A critical server-side request forgery vulnerability in the popular Next.js React framework is putting tens of thousands of self-hosted web applications at risk, allowing unauthenticated attackers to silently probe internal services and steal cloud credentials with no exploitation tools beyond a standard HTTP request.
On May 11, 2026, Vercel published security advisory GHSA-c4j6-fc7j-m34r and simultaneously released patched versions 15.5.16 and 16.2.5 of Next.js to address CVE-2026-44578.
The vulnerability is a server-side request forgery (SSRF) flaw residing in the WebSocket upgrade handler of Next.js’s built-in Node.js server. Rated High severity with a CVSS v3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), it requires no authentication, user interaction, or prior knowledge of the target network’s internal topology.
The vulnerability impacts all self-hosted Next.js deployments running versions ≥ 13.4.13 and < 15.5.16, as well as versions ≥ 16.0.0 and < 16.2.5. Vercel-hosted deployments are not affected, nor are applications deployed on managed platforms like Netlify or AWS Amplify that strip absolute-form request URIs before they reach the Node.js layer.
Next.js SSRF Vulnerability
The root cause is a dangerous asymmetry inside router-server.ts, Next.js’s core HTTP/1.1 routing engine. When a normal HTTP request arrives, Next.js checks both the finished flag and parsedUrl.protocol before proxying the request to an external destination.
However, the WebSocket upgrade handler only checked parsedUrl.protocol , completely ignoring the finished and statusCode flags that indicate whether routing had actually approved the proxy operation.
An attacker exploits this gap with a single crafted HTTP request. By sending an absolute-form URI (e.g., GET http://169.254.169.254/latest/meta-data/ HTTP/1.1) combined with standard WebSocket Upgrade headers, the attacker triggers Node.js’s upgrade event.
Next.js’s vulnerable handler sees parsedUrl.protocol = 'http:', skips the routing approval check, and unquestioningly forwards the connection to the attacker-specified internal host via proxyRequest piping the internal service’s response directly back to the attacker over the same open socket.
The target of this SSRF is pinned to port 80 due to a URL-normalization quirk in the buggy code path, but that is more than sufficient to reach the most dangerous targets: AWS IMDSv1 (169.254.169.254), internal admin panels, database REST interfaces, and internal configuration APIs.
Researchers confirmed that exploitation requires nothing more than a curl command, with public proof-of-concept code released within days of the advisory.
The blast radius of this flaw is substantial. Shodan indexing shows approximately 740,000 publicly reachable Next.js servers globally, with roughly 118,700 running the built-in Node.js server without a reverse proxy in front. Of those, an estimated ~79,000 hosts are running vulnerable versions and are directly exploitable today.
In cloud-hosted environments, the consequences are especially severe. A successful exploit can expose:
- AWS EC2 instance role credentials (STS tokens) via the IMDSv1 metadata endpoint
- Azure Managed Identity tokens and subscription details
- Google Cloud metadata (though GCP rejects upgrade requests with a 400 in some configurations)
- Database connection strings, API keys, and SSH private keys stored in environment variables or config files
Confirmed real-world exploits have demonstrated the full extraction of cloud credentials in seconds, enabling attackers to pivot laterally across cloud environments and exfiltrate sensitive data.
This vulnerability was also released alongside other high-severity Next.js flaws in Vercel’s May 2026 security batch, including a DoS via connection exhaustion (GHSA-mg66-mrh9-m8jx) and a middleware/proxy bypass (GHSA-492v-c6pp-mqqv).
Patch & Remediation
The fix is surgical and correct: Vercel updated upgradeHandler in router-server.ts to destructure both finished and statusCode from resolveRoutes, and now gates the proxyRequest call on finished && parsedUrl.protocol && !statusCode the same safety logic the HTTP request handler had always enforced.
Upgrade immediately to:
- Next.js 15.5.16 (for the 13.x–15.x branch)
- Next.js 16.2.5 (for the 16.x branch)
For organizations that cannot patch immediately, the following mitigations significantly reduce risk:
- Place nginx, Caddy, or HAProxy in front of Next.js; these reverse proxies reject absolute-form request URIs (
GET http://...) by default, neutralizing the exploit’s delivery mechanism - Add a WAF rule to block inbound requests whose URI begins with
http://orhttps:// - Enable AWS IMDSv2 (
HttpTokens=required) to neutralize the most damaging credential-theft path even on unpatched instances - Block WebSocket upgrades at your load balancer if your application does not require them
- Restrict origin egress to prevent the Next.js process from reaching internal network ranges (
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16) and cloud metadata endpoints
Security teams should also audit logs for the telltale exploitation fingerprint: request lines starting with http:// or https:// accompanied by Upgrade: websocket headers, and unusual outbound traffic to 169.254.169.254:80 or metadata.google.internal:80 from application servers.
FAQ
Q1: Does this vulnerability affect Next.js apps hosted on Vercel?
Not only are self-hosted applications running the built-in Node.js server affected, but Vercel-managed and most PaaS deployments are not vulnerable.
Q2: Does an attacker need credentials or special access to exploit CVE-2026-44578?
No, the attack requires zero authentication, no cookies, and no prior knowledge of internal URLs, making it exploitable by any unauthenticated attacker with network access to the server.
Q3: Which Next.js versions are safe to run?
Versions 15.5.16 and 16.2.5 contain the fix; any deployment below these thresholds (and above 13.4.13) remains vulnerable and should be patched immediately.
Q4: Can blocking WebSocket traffic fully mitigate the risk without patching?
Blocking WebSocket upgrades at the reverse proxy eliminates the attack vector but also turns off legitimate WebSocket features; the safest and recommended approach remains upgrading to the patched version.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
