A high severity Server Side Request Forgery (SSRF) vulnerability has been disclosed in Next.js one of the most widely used React frameworks on the web. If you're self hosting a Next.js application this demands your immediate attention.

What Happened? Self hosted applications using the built in Node.js server are vulnerable to server side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints.

On May 11 2026, Vercel published GHSA-c4j6-fc7j-m34r and released Next.js 15.5.16 and 16.2.5 fixing CVE-2026-44578. The flaw lets an unauthenticated attacker with a single crafted HTTP request cause the Next.js process to issue an internal HTTP GET to any host reachable from the server on port 80 including cloud metadata services, administrative panels and internal APIs and read the response.

Technical Root Cause The vulnerability exists in Next.js's HTTP/1.1 WebSocket upgrade handler in packages/next/src/server/lib/router-server.ts. When a client sends an HTTP Upgrade request with Connection: Upgrade and Upgrade: websocket headers the upgrade handler calls resolveRoutes to determine the request's destination. The vulnerable handler then checks only parsedUrl.protocol before forwarding to proxyRequest, ignoring the finished and statusCode flags that the equivalent HTTP request handler already checked.

In short: the WebSocket path skipped safety checks that the regular HTTP path already had in place. The fix brings WebSocket handling in line with existing HTTP controls upgrade requests are now only proxied when routing has explicitly marked them as safe external rewrites.

Real World Impact What makes this especially alarming is that exploitation requires no authentication and no user interaction. Any publicly accessible Next.js deployment running on the built in Node.js server is potentially exposed.

An attacker targeting an AWS hosted application for example, could abuse the SSRF condition to query the instance metadata service and silently retrieve temporary IAM credentials. These credentials can then be used to escalate privileges or move laterally within an organization's cloud environment, all without triggering standard authentication alerts.

Scale of exposure: Approximately 740,000 publicly reachable Next.js servers are indexed on Shodan globally. The directly exposed subset — running on the default next start port with no reverse proxy numbers around 118,700 hosts. Sampling within that cohort shows roughly 66.7% are running vulnerable versions, yielding an estimate of approximately 79,000 hosts that are directly exploitable today.

Affected Versions

All versions starting from 13.4.13 before 15.5.16 and all versions starting from 16.0.0 before 16.2.5. This spans Next.js 13.x, 14.x, 15.x, and early 16.x a very wide blast radius.

Not affected: Vercel hosted deployments are not affected. The Vercel infrastructure does not utilize the vulnerable WebSocket routing implementation. Similarly the vulnerability does not impact Next.js applications deployed on other managed platforms such as Netlify, AWS Amplify or other PaaS providers that do not expose raw WebSocket upgrade capabilities.

What To Do Right Now 1. Patch immediately Upgrade to Next.js 15.5.16 or 16.2.5. This is the only complete fix. 2. If you can't patch yet: Do not expose the origin server directly to untrusted networks. If WebSocket upgrades are not required, block them at your reverse proxy or load balancer and restrict origin egress to internal networks and metadata services where possible. 3. Audit your cloud exposure: Organizations using Next.js in production environments should prioritize patching and review their network architecture to minimize exposure, especially where cloud credentials and internal services are involved.

CVSS Score: 8.6 (High) Auth Required: None User Interaction: None GitHub Advisory: GHSA-c4j6-fc7j-m34r

If you're running self hosted Next.js in Docker, on EC2, on a VPS, anywhere check your version and patch today.