Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
Title source: cnaExploitation Summary
EIP tracks 2 public exploits for CVE-2026-44575. PoCs published by dwisiswant0, XZ1r0.
AI-analyzed exploit summary This repository contains functional exploit PoCs for multiple Next.js vulnerabilities (CVE-2026-23870, CVE-2026-44573, etc.), including detailed writeups, vulnerable code snippets, and harnesses for testing. The exploits target issues like DoS, SSRF, XSS, and cache poisoning in Next.js v16.2.4.
Description
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check. This vulnerability is fixed in 15.5.16 and 16.2.5.
Exploits (2)
This repository contains functional exploit PoCs for multiple Next.js vulnerabilities (CVE-2026-23870, CVE-2026-44573, etc.), including detailed writeups, vulnerable code snippets, and harnesses for testing. The exploits target issues like DoS, SSRF, XSS, and cache poisoning in Next.js v16.2.4.
This repository contains a functional exploit for CVE-2026-44575, demonstrating a middleware bypass in Next.js ≤ v16.2.4 via App Router segment-prefetch URLs. The exploit includes Python and Bash scripts that test for the vulnerability by sending crafted requests to bypass authentication checks.
References (1)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N