CVE-2026-44578
Last modified
CVE-2026-44578 is a high-severity vulnerability rated 8.6/10 on the CVSS scale. Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. EPSS estimates a 37.76% chance of exploitation in the next 30 days.
Description
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vercel | Next.Js | >= 13.4.13, < 15.5.16 |
| Vercel | Next.Js | >= 16.0.0, < 16.2.5 |
References
- https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34rMitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-44578?
How severe is CVE-2026-44578?
How do I fix CVE-2026-44578?
Are you affected by CVE-2026-44578?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST