CVE-2026-44578 Overview
CVE-2026-44578 is a Server-Side Request Forgery (SSRF) vulnerability in Next.js, the React framework for full-stack web applications. The flaw affects self-hosted applications using the built-in Node.js server in versions from 13.4.13 up to (but not including) 15.5.16 and 16.2.5. Attackers can send crafted WebSocket upgrade requests to force the server to proxy requests to arbitrary internal or external destinations. Vercel-hosted deployments are not affected. The issue is tracked under [CWE-918] and is fixed in 15.5.16 and 16.2.5.
Critical Impact
Unauthenticated attackers can pivot through the Next.js server to reach internal services and cloud metadata endpoints, exposing credentials and sensitive infrastructure.
Affected Products
- Next.js self-hosted applications from 13.4.13 to before 15.5.16
- Next.js self-hosted applications from 16.0.0 to before 16.2.5
- Deployments using the built-in Node.js server (Vercel-hosted deployments are not affected)
Discovery Timeline
- 2026-05-13 - CVE-2026-44578 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44578
Vulnerability Analysis
The vulnerability is a Server-Side Request Forgery (SSRF) flaw [CWE-918] in the built-in Node.js server shipped with Next.js. The server processes WebSocket upgrade requests without sufficient validation of the destination target. An attacker can craft an HTTP Upgrade request that causes the Next.js process to open an outbound connection to a destination of the attacker's choosing. Because the request originates from the application server, it bypasses network controls intended to isolate backend services. This enables access to internal hosts, private APIs, and cloud provider metadata endpoints such as 169.254.169.254 on AWS, GCP, and Azure.
Root Cause
The root cause is improper handling of the proxy target during WebSocket upgrade processing in the self-hosted Node.js server. The upgrade handler trusts request-controlled fields when determining where to forward the upgrade. No allowlist or origin validation restricts the destination, allowing arbitrary internal and external URLs to be reached. Vercel-hosted environments use a different request pipeline and are therefore unaffected.
Attack Vector
Exploitation requires only network access to the vulnerable Next.js endpoint and no authentication or user interaction. An attacker sends an HTTP request containing Connection: Upgrade and Upgrade: websocket headers, with crafted fields that direct the proxied request to an internal target. The server then issues the request on the attacker's behalf and may return response data. Common targets include cloud instance metadata services, internal Redis or Elasticsearch instances, and admin panels bound to localhost. Technical details are available in the GitHub Security Advisory GHSA-c4j6-fc7j-m34r.
Detection Methods for CVE-2026-44578
Indicators of Compromise
- Inbound HTTP requests to Next.js endpoints containing Upgrade: websocket headers from unexpected sources or with anomalous target parameters.
- Outbound connections from the Next.js process to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or to 169.254.169.254.
- Access log entries showing WebSocket upgrade attempts to paths not used by the application's legitimate client code.
Detection Strategies
- Inspect reverse proxy and application logs for HTTP 101 Switching Protocols responses tied to unusual upstream destinations.
- Correlate WebSocket upgrade requests with subsequent outbound connections from the Node.js process to non-application hosts.
- Alert on any request from the Next.js server to cloud metadata IPs, which legitimate application traffic should never reach.
Monitoring Recommendations
- Enable egress logging on the host or container running Next.js and review destinations for internal-only addresses.
- Monitor for unexpected reads of IAM credentials from cloud metadata services after deploying the patched version.
- Track the running version of Next.js across environments and flag any instance still on 13.4.13 through 15.5.15 or 16.0.0 through 16.2.4.
How to Mitigate CVE-2026-44578
Immediate Actions Required
- Upgrade self-hosted Next.js to 15.5.16 or 16.2.5 immediately on all Node.js server deployments.
- Inventory all Next.js applications using the built-in Node.js server (next start) to confirm patch coverage.
- Rotate any cloud credentials or secrets potentially exposed via metadata service access if exploitation is suspected.
Patch Information
The maintainers fixed CVE-2026-44578 in Next.js 15.5.16 and 16.2.5. Upgrade using npm install next@15.5.16 or npm install next@16.2.5 depending on your major version branch. Refer to the GitHub Security Advisory GHSA-c4j6-fc7j-m34r for full remediation details.
Workarounds
- Deploy the application behind a reverse proxy that strips or rejects Upgrade: websocket headers if WebSockets are not used by the application.
- Use IMDSv2 on AWS and equivalent hardened metadata configurations on Azure and GCP to require session tokens for metadata access.
- Apply strict egress firewall rules on the Next.js host to deny outbound traffic to internal subnets and metadata endpoints not required by the application.
# Upgrade Next.js to a patched release
npm install next@16.2.5
# or for the 15.x branch
npm install next@15.5.16
# Verify the installed version
npx next --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
