CVE-2026-44578

Next.js: Server-side request forgery in applications using WebSocket upgrades

Assigner: GitHub_M
Reserved: 06.05.2026 Published: 13.05.2026 Updated: 13.05.2026

Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS Score: 8.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	vercel
Product	next.js
Versions	Version >= 16.0.0, < 16.2.5 is affected Version >= 13.4.13, < 15.5.16 is affected

Vendor

vercel

Product

next.js

Versions

Version >= 16.0.0, < 16.2.5 is affected
Version >= 13.4.13, < 15.5.16 is affected

References

Problem Types

CWE-918: Server-Side Request Forgery (SSRF) CWE

CVE-2026-44578 PUBLISHED

Next.js: Server-side request forgery in applications using WebSocket upgrades

Metrics

Product Status

References

Problem Types