CVE-2026-44578: CWE-918: Server-Side Request Forgery (SSRF) in vercel next.js
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
AI Analysis
Technical Summary
Next.js versions 13.4.13 to before 15.5.16 and 16.0.0 to before 16.2.5, when self-hosted using the built-in Node.js server, are vulnerable to SSRF via crafted WebSocket upgrade requests. This allows attackers to make the server proxy requests to arbitrary destinations, which may expose sensitive internal resources or cloud metadata endpoints. The vulnerability is identified as CWE-918 and has a CVSS v3.1 score of 8.6 (high severity). Vercel-hosted deployments are not affected. The vulnerability is fixed in versions 15.5.16 and 16.2.5.
Potential Impact
Successful exploitation can lead to unauthorized access to internal services or cloud metadata endpoints by proxying requests through the vulnerable Next.js server. This can result in exposure of sensitive information. The vulnerability does not impact integrity or availability directly but has a high confidentiality impact as indicated by the CVSS vector.
Mitigation Recommendations
Upgrade self-hosted Next.js deployments to version 15.5.16 or later if on the 13.x or 15.x branch, or to version 16.2.5 or later if on the 16.x branch. Vercel-hosted deployments are not affected and require no action. Patch status is not explicitly stated in the vendor advisory, but the fixed versions indicate an official fix is available. Users should verify they are running a fixed version to mitigate this vulnerability.
CVE-2026-44578: CWE-918: Server-Side Request Forgery (SSRF) in vercel next.js
Description
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Next.js versions 13.4.13 to before 15.5.16 and 16.0.0 to before 16.2.5, when self-hosted using the built-in Node.js server, are vulnerable to SSRF via crafted WebSocket upgrade requests. This allows attackers to make the server proxy requests to arbitrary destinations, which may expose sensitive internal resources or cloud metadata endpoints. The vulnerability is identified as CWE-918 and has a CVSS v3.1 score of 8.6 (high severity). Vercel-hosted deployments are not affected. The vulnerability is fixed in versions 15.5.16 and 16.2.5.
Potential Impact
Successful exploitation can lead to unauthorized access to internal services or cloud metadata endpoints by proxying requests through the vulnerable Next.js server. This can result in exposure of sensitive information. The vulnerability does not impact integrity or availability directly but has a high confidentiality impact as indicated by the CVSS vector.
Mitigation Recommendations
Upgrade self-hosted Next.js deployments to version 15.5.16 or later if on the 13.x or 15.x branch, or to version 16.2.5 or later if on the 16.x branch. Vercel-hosted deployments are not affected and require no action. Patch status is not explicitly stated in the vendor advisory, but the fixed versions indicate an official fix is available. Users should verify they are running a fixed version to mitigate this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-06T21:49:12.424Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04ba22cbff5d8610f482d5
Added to database: 5/13/2026, 5:51:30 PM
Last enriched: 5/13/2026, 6:06:38 PM
Last updated: 5/13/2026, 7:09:42 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.