PT-2026-38638 · Node.Js · Node.Js

Tim Neutkens

+1

·

Published

2026-05-06

·

Updated

2026-06-30

·

CVE-2026-44578

CVSS v3.1

8.6

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Next.js versions 13.4.13 through 15.5.15 Next.js versions 16.0.0 through 16.2.4
Description Self-hosted applications using the built-in Node.js server are subject to server-side request forgery (SSRF), a condition where an attacker forces a server to make requests to an unintended location. Unauthenticated remote attackers can use crafted absolute-form HTTP requests containing Upgrade: websocket headers to force the server to proxy requests to arbitrary internal or external destinations. This can expose internal services, admin panels, private APIs, and cloud metadata endpoints (such as 169.254.169.254), potentially leading to the theft of cloud credentials, API keys, and secrets. Approximately 79,000 instances are estimated to be exposed on Shodan. Vercel-hosted deployments are not affected.
Recommendations For versions 13.4.13 through 15.5.15, upgrade to version 15.5.16. For versions 16.0.0 through 16.2.4, upgrade to version 16.2.5. As a temporary workaround, block WebSocket upgrades at the reverse proxy or load balancer if they are not required. Restrict origin egress to internal networks and metadata services where possible. Avoid exposing the origin server directly to untrusted networks.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07000
CVE-2026-44578
GHSA-C4J6-FC7J-M34R

Affected Products

Node.Js