Product

Next.js

1 brief RSS

Next.js SSRF Vulnerability via WebSocket Upgrade Requests (CVE-2026-44578)

Next.js applications using WebSocket upgrades are vulnerable to server-side request forgery (SSRF) through crafted WebSocket upgrade requests, allowing attackers to proxy requests to internal or external destinations, affecting self-hosted applications running versions npm/next (>= 13.4.13, < 15.5.16) and npm/next (>= 16.0.0, < 16.2.5).

next.js ssrf cve-2026-44578 websocket server-side request forgery

2r 1t 2h ago