CVE-2026-44578

HIGH NUCLEI LAB

Next.js: Server-side request forgery in applications using WebSocket upgrades

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 8 public exploits for CVE-2026-44578. PoCs published by dwisiswant0, ynsmroztas, dinosn. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains functional proof-of-concept exploits for multiple Next.js vulnerabilities, including SSRF, XSS, and DoS, with detailed technical analysis and patch diffs. The PoCs are structured for defensive research and regression testing.

Description

Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.

Exploits (8)

github WORKING POC 127 stars
by dwisiswant0 · pythonpoc
https://github.com/dwisiswant0/next-16.2.4-pocs

This repository contains functional proof-of-concept exploits for multiple Next.js vulnerabilities, including SSRF, XSS, and DoS, with detailed technical analysis and patch diffs. The PoCs are structured for defensive research and regression testing.

Classification
Working Poc 95%
Attack Type
Ssrf | Xss | Dos | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Next.js v16.2.4
No auth needed
Prerequisites: Vulnerable Next.js v16.2.4 installation · Network access to target
devstral-2 · analyzed May 13, 2026 Full analysis →
nomisec WORKING POC 6 stars
by ynsmroztas · poc
https://github.com/ynsmroztas/nextssrf

This repository contains a functional exploit for CVE-2026-44578, an SSRF vulnerability in Next.js WebSocket upgrade handler. The exploit includes both scanning and interactive shell capabilities for targeting cloud metadata services.

Classification
Working Poc 95%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Next.js (13.4.13-15.5.15, 16.0.0-16.2.4)
No auth needed
Prerequisites: Target running vulnerable Next.js version · Network access to target
devstral-2 · analyzed May 15, 2026 Full analysis →
nomisec WORKING POC 1 stars
by dinosn · poc
https://github.com/dinosn/CVE-2026-44578

This repository contains a functional exploit for CVE-2026-44578, a Server-Side Request Forgery (SSRF) vulnerability in Next.js self-hosted deployments. The exploit leverages a flawed WebSocket upgrade handler to extract AWS credentials and internal service data from localhost:80.

Classification
Working Poc 100%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Next.js 13.4.13 – 15.5.15, 16.0.0 – 16.2.4 (self-hosted only)
No auth needed
Prerequisites: Docker + Docker Compose · Python 3.10+ · netcat (nc)
devstral-2 · analyzed May 16, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/web/CVE-2026-44578

This repository contains a functional exploit for CVE-2026-44578, a Server-Side Request Forgery (SSRF) vulnerability in Next.js. The exploit leverages a missing routing-completion check in the WebSocket upgrade handler, allowing unauthenticated attackers to send crafted HTTP/1.1 requests with absolute-form URIs to proxy requests to internal services.

Classification
Working Poc 100%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Next.js (versions 13.4.13 – 15.5.15, 16.0.0 – 16.2.4)
No auth needed
Prerequisites: Access to a vulnerable Next.js server · Network connectivity to internal services (e.g., AWS IMDS)
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WRITEUP
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-44578

This repository provides a detailed technical analysis of CVE-2026-44578, a high-severity SSRF vulnerability in Next.js. It includes affected versions, mitigation strategies, and example malicious requests, but lacks functional exploit code.

Classification
Writeup 90%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Theoretical
Target: Next.js versions 13.4.13 to <15.5.16 and 16.x to <16.2.5
No auth needed
Prerequisites: Access to a vulnerable Next.js server · Ability to send crafted WebSocket Upgrade requests
devstral-2 · analyzed May 17, 2026 Full analysis →
nomisec SCANNER
by love07oj · poc
https://github.com/love07oj/nextjs-cve-2026-44578

This repository contains Nuclei templates for detecting CVE-2026-44578, a Next.js WebSocket Upgrade Handler SSRF vulnerability. The templates validate SSRF behavior and metadata endpoint exposure across multiple cloud providers without extracting credentials.

Classification
Scanner 95%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Next.js (self-hosted deployments)
No auth needed
Prerequisites: vulnerable Next.js deployment · network access to the target
devstral-2 · analyzed May 16, 2026 Full analysis →
nomisec WORKING POC
by tocong282 · poc
https://github.com/tocong282/CVE-2026-44578-PoC

This repository contains a functional PoC for CVE-2026-44578, an SSRF vulnerability in Next.js WebSocket upgrade handler. The exploit leverages WebSocket headers to tunnel requests to internal services, demonstrated with Redis and AWS metadata examples.

Classification
Working Poc 95%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Next.js (13.4.13 → 15.5.15, 16.0.0 → 16.1.6)
No auth needed
Prerequisites: WebSocket endpoint exposed · Network access to target
devstral-2 · analyzed May 15, 2026 Full analysis →
nomisec WORKING POC
by panchocosil · poc
https://github.com/panchocosil/verify-ghsa-c4j6-fc7j-m34r

This repository contains a functional exploit PoC for CVE-2026-44578, an SSRF vulnerability in Next.js via WebSocket upgrade requests. The exploit demonstrates the vulnerability by sending crafted HTTP/1.1 WebSocket upgrade requests with absolute URLs, which can lead to SSRF to localhost services on the target machine.

Classification
Working Poc 100%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Next.js versions >=13.4.13 <15.5.16, >=16.0.0 <16.2.5
No auth needed
Prerequisites: TCP connection to a self-hosted Next.js process · ability to send crafted HTTP/1.1 WebSocket upgrade requests
devstral-2 · analyzed May 13, 2026 Full analysis →

Nuclei Templates (1)

Next.js WebSocket Upgrade Handler - SSRF
HIGHVERIFIEDby hacktron,DhiyaneshDk
Shodan: http.component:"Next.js"

References (1)

Core 1
Core References

Scores

CVSS v3 8.6
EPSS 0.0504
EPSS Percentile 89.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Lab Environment

COMMUNITY SUSPICIOUS
Community Lab
+5 more repos

Details

CWE
CWE-918
Status published
Products (5)
npm/next 13.4.13 - 15.5.16npm
npm/next 16.0.0 - 16.2.5npm
vercel/next.js 13.4.13 - 15.5.16
vercel/next.js >= 13.4.13, < 15.5.16
vercel/next.js >= 16.0.0, < 16.2.5
Published May 13, 2026
Tracked Since May 13, 2026