PT-2026-38638 · Node.Js · Node.Js
Tim Neutkens
+1
·
Published
2026-05-06
·
Updated
2026-06-30
·
CVE-2026-44578
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Next.js versions 13.4.13 through 15.5.15
Next.js versions 16.0.0 through 16.2.4
Description
Self-hosted applications using the built-in Node.js server are subject to server-side request forgery (SSRF), a condition where an attacker forces a server to make requests to an unintended location. Unauthenticated remote attackers can use crafted absolute-form HTTP requests containing
Upgrade: websocket headers to force the server to proxy requests to arbitrary internal or external destinations. This can expose internal services, admin panels, private APIs, and cloud metadata endpoints (such as 169.254.169.254), potentially leading to the theft of cloud credentials, API keys, and secrets. Approximately 79,000 instances are estimated to be exposed on Shodan. Vercel-hosted deployments are not affected.Recommendations
For versions 13.4.13 through 15.5.15, upgrade to version 15.5.16.
For versions 16.0.0 through 16.2.4, upgrade to version 16.2.5.
As a temporary workaround, block WebSocket upgrades at the reverse proxy or load balancer if they are not required.
Restrict origin egress to internal networks and metadata services where possible.
Avoid exposing the origin server directly to untrusted networks.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Node.Js