Next.js Server-Side Request Forgery Vulnerability

CVE-2026-44578 is a High-severity server-side request forgery vulnerability affecting self-hosted Next.js applications that use the built-in Node.js server. The vulnerability exists in WebSocket upgrade request handling, where crafted requests can cause the server to proxy connections to arbitrary internal or external destinations. Vercel-hosted deployments are not affected.

Technical Details

Next.js is an open-source React framework for building full-stack web applications. In affected self-hosted deployments, crafted WebSocket upgrade requests can abuse the built-in Node.js server and cause it to proxy requests to attacker-selected destinations.

This may expose internal services, administrative interfaces, or cloud metadata endpoints reachable from the affected server. The issue is tracked as CWE-918 and has a CVSS 3.1 score of 8.6, rated High.

NodeZero® Proactive Security Platform — Rapid Response

A NodeZero Rapid Response test has been developed to safely validate whether this server-side request forgery vulnerability can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.

Re-run the test: Confirm the vulnerability is no longer exploitable after remediation

Run the Rapid Response test: Launch from the NodeZero platform to determine whether affected self-hosted Next.js applications can proxy requests to unauthorized internal or external destinations

Patch immediately: Upgrade Next.js to version 15.5.16 or later for the 15.x branch, or 16.2.5 or later for the 16.x branch

Stop Guessing, Start Proving