CVE-2026-44572

LOW LAB

Next.js: Middleware / Proxy redirects can be cache-poisoned

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-44572. PoCs published by dwisiswant0, XZ1r0.

AI-analyzed exploit summary This repository contains functional proof-of-concept exploits for multiple CVEs affecting Next.js v16.2.4, including SSRF, XSS, DoS, and cache poisoning vulnerabilities. The PoCs are well-documented with detailed write-ups, vulnerable code excerpts, and runnable exploit scripts.

Description

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.

Exploits (2)

github WORKING POC 127 stars
by dwisiswant0 · pythonpoc
https://github.com/dwisiswant0/next-16.2.4-pocs

This repository contains functional proof-of-concept exploits for multiple CVEs affecting Next.js v16.2.4, including SSRF, XSS, DoS, and cache poisoning vulnerabilities. The PoCs are well-documented with detailed write-ups, vulnerable code excerpts, and runnable exploit scripts.

Classification
Working Poc 95%
Attack Type
Ssrf | Xss | Dos | Auth Bypass | Cache Poisoning
Complexity
Moderate
Reliability
Reliable
Target: Next.js v16.2.4
No auth needed
Prerequisites: Vulnerable Next.js v16.2.4 installation · Network access to the target
devstral-2 · analyzed May 13, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/next-16.2.4-pocs/poc/CVE-2026-44572_GHSA-3g8h-86w9-wvmq

This repository contains a functional exploit for CVE-2026-44572, demonstrating how an attacker can manipulate the `x-nextjs-data` header to convert a legitimate 307 redirect into a malformed 200 OK response, leading to cache poisoning and DoS in Next.js versions <= 16.2.4.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Next.js <= 16.2.4
No auth needed
Prerequisites: A Next.js application with a redirect endpoint (e.g., via `next.config.js` or middleware)
devstral-2 · analyzed May 21, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 3.7
EPSS 0.0001
EPSS Percentile 0.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Lab Environment

COMMUNITY SUSPICIOUS
Community Lab

Details

CWE
CWE-349
Status published
Products (5)
npm/next 12.2.0 - 15.5.16npm
npm/next 16.0.0 - 16.2.5npm
vercel/next.js 12.2.0 - 15.5.16
vercel/next.js >= 12.2.0, < 15.5.16
vercel/next.js >= 16.0.0, < 16.2.5
Published May 13, 2026
Tracked Since May 13, 2026