Description
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
Published: 2026-05-13
Score: 8.6 High
EPSS: 5.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Next.js applications that use the built‑in Node.js server are vulnerable when a malicious actor sends a specially crafted WebSocket upgrade request. The server, following the upgrade, forwards the request to the target host without proper validation, effectively acting as a proxy. This server‑side request forgery flaw (CWE‑918) can expose internal services or cloud metadata endpoints, enabling data leakage or further lateral movement.

Affected Systems

The issue affects self‑hosted Next.js versions ranging from 13.4.13 up to (but excluding) 15.5.16 and 16.2.5. Deployments hosted on Vercel are not affected. The vulnerability is mitigated in 15.5.16 and 16.2.5 and later releases.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity. The EPSS score of 4% suggests a moderate probability of exploitation. The vulnerability has not been listed in the CISA KEV catalog. An attacker can exploit the flaw by sending a crafted WebSocket upgrade request to the application, causing the server to proxy traffic to arbitrary internal or external destinations. No data indicates exploitation of remote code execution, but SSRF could lead to data exfiltration or access to privileged cloud metadata.

Generated by OpenCVE AI on May 16, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next.js to version 15.5.16 or 16.2.5 (or later) to apply the vendor patch.
  • If an upgrade is delayed, disable or tightly restrict WebSocket upgrade handling in the application configuration, ensuring only trusted origins can initiate upgrades.
  • Continuously monitor WebSocket upgrade traffic for anomalous requests and verify that no internal or metadata endpoints are being accessed from the server.

Generated by OpenCVE AI on May 16, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c4j6-fc7j-m34r Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades
History

Wed, 03 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 14 May 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
Title Next.js: Server-side request forgery in applications using WebSocket upgrades
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T18:19:41.524Z

Reserved: 2026-05-06T21:49:12.424Z

Link: CVE-2026-44578

cve-icon Vulnrichment

Updated: 2026-05-13T18:09:18.775Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T18:16:17.990

Modified: 2026-05-14T18:34:38.530

Link: CVE-2026-44578

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-13T17:01:38Z

Links: CVE-2026-44578 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T14:45:25Z

Weaknesses