Key Takeaways
- A high‑severity Server‑Side Request Forgery (SSRF) flaw (CVE‑2026-44578) exists in the default Node.js server of self‑hosted Next.js applications.
- Attackers can abuse WebSocket upgrade requests to turn the server into a proxy, bypassing external firewalls and reaching internal services, cloud metadata endpoints, and admin panels.
- The vulnerability leaks temporary IAM credentials, API tokens, and deployment secrets, enabling further network pivoting and data breaches.
- Vercel‑hosted Next.js apps are not affected because Vercel does not use the vulnerable WebSocket routing implementation.
- Affected versions span two maintenance tracks; patches are available in Next.js 15.5.16 and Next.js 16.2.5.
- If immediate patching isn’t possible, administrators should block WebSocket upgrade requests at the reverse‑proxy or load‑balancer level and restrict outbound traffic to internal/cloud metadata services.
- Continuous version monitoring, network segmentation, and logging are essential to prevent exploitation.
Overview of the Vulnerability
The security issue, tracked as CVE‑2026-44578, resides in how the built‑in Next.js Node.js server processes WebSocket upgrade requests. Unlike ordinary HTTP requests, WebSocket upgrades involve a handshake that, if mishandled, can be leveraged to make the server act as a generic TCP proxy. This flaw permits an attacker to craft a specially formed WebSocket request that tricks the Next.js server into forwarding traffic to arbitrary internal or external destinations, effectively turning the application into a stepping stone for further attacks.
How the Exploit Works
When a client sends a WebSocket upgrade request containing a malicious target URL in the Upgrade or Connection headers (or via a crafted sub‑protocol), the vulnerable Next.js server incorrectly treats the request as a legitimate proxy operation. Instead of validating the destination against a whitelist, it establishes a TCP connection to the supplied endpoint and relays data bidirectionally. Because the request originates from the trusted Next.js process, external firewalls and network‑based intrusion detection systems often see it as legitimate outbound traffic, allowing the attacker to bypass perimeter defenses.
Impact on Cloud Credentials and Internal Services
Once the server is acting as a proxy, an adversary can reach internal network services that are normally inaccessible from the internet. Of particular concern are cloud metadata endpoints (e.g., AWS 169.254.169.254, GCP metadata.google.internal, Azure 169.254.169.254), which frequently expose temporary IAM role credentials, API keys, and deployment secrets. By querying these endpoints, attackers can harvest short‑lived tokens that provide privileged access to cloud resources, enabling data exfiltration, lateral movement, or the creation of persistent backdoors. Additionally, unprotected internal admin panels, development dashboards, or micro‑service APIs become reachable, further amplifying the risk of data breaches.
Scope: Self‑Hosted vs Vercel
The SSRF vulnerability exclusively impacts self‑hosted Next.js deployments that rely on the framework’s default Node.js server. Applications hosted on Vercel remain completely safe because Vercel’s infrastructure does not employ the vulnerable WebSocket upgrade handling path; instead, it routes WebSocket connections through a hardened, multi‑tenant edge network that enforces strict validation. Consequently, organizations using Vercel’s platform do not need to apply the patches described below, though they should still maintain general security hygiene.
Affected Versions and Release Tracks
The flaw affects two distinct release lines within the Next.js ecosystem: the legacy 15.x maintenance track and the current 16.x track. Specific vulnerable versions include all releases prior to 15.5.16 on the 15.x line and all releases prior to 16.2.5 on the 16.x line. The Next.js security team identified the issue during routine audits and assigned it the internal identifier GHSA‑c4j6‑fc7j‑m34r. Users running any version below the cited patches should consider themselves exposed and prioritize upgrading.
Patch Details and Mitigation Recommendations
Next.js 15.5.16 and Next.js 16.2.5 introduce strict safety checks in the WebSocket upgrade handler. The server now only proxies upgrade requests when the corresponding route is explicitly marked as an external rewrite in the Next.js configuration (e.g., via rewrites with destination: 'external'). All other upgrade attempts are rejected with an error response, preventing the server from being co‑opted as a generic proxy. Administrators are urged to upgrade to these versions as soon as possible; the patch is backward‑compatible and does not require code changes unless custom WebSocket handling was previously implemented.
Network‑Level Defenses
If upgrading is not immediately feasible, organizations should implement compensating controls at the network edge. Reverse proxies (such as NGINX, Envoy, or HAProxy) or load balancers can be configured to reject any incoming WebSocket upgrade requests (Upgrade: websocket) unless the application explicitly expects them. Additionally, outbound traffic from the Next.js host should be tightly restricted: block direct access to known cloud metadata IP ranges (e.g., 169.254.169.254/32) and limit connections to internal service networks to only those ports and protocols required for legitimate operation. Deploying egress filtering and monitoring for anomalous outbound connections can help detect attempted exploitation.
Best Practices for Administrators
Beyond patching and network controls, administrators should maintain an up‑to‑date inventory of all self‑hosted Next.js instances, including version numbers and deployment contexts. Enable detailed logging of WebSocket upgrade attempts and correlate logs with alerting rules that trigger on repeated failed upgrades or unexpected outbound connections to metadata endpoints. Regularly review and test firewall rules, and consider adopting a zero‑trust network architecture where internal services are not reachable from the application host without explicit authorization. Finally, subscribe to security mailing lists or follow the Next.js project’s official channels to receive timely notifications about future vulnerabilities.
Conclusion and Call to Action
CVE‑2026-44578 represents a serious threat to any organization running self‑hosted Next.js applications, as it enables attackers to hijack the server’s trust position and exfiltrate sensitive cloud credentials or infiltrate internal networks. The remedy is straightforward: upgrade to Next.js 15.5.16 or 16.2.5, or, if that cannot be done immediately, enforce strict WebSocket upgrade blocking and outbound traffic restrictions at the perimeter. By combining prompt patching, network segmentation, vigilant monitoring, and adherence to security best practices, teams can mitigate the risk posed by this SSRF flaw and protect their critical assets from compromise.