{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/next.js/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["next (\u003c 15.5.16)","next (\u003c 16.2.5)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","connection-exhaustion","next.js","cve-2026-44579"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA denial-of-service vulnerability (CVE-2026-44579) exists in Next.js applications that utilize Partial Prerendering through the Cache Components feature. This flaw allows an attacker to exhaust server connections by sending specially crafted POST requests to a server action. The malicious requests trigger a deadlock in request-body handling, causing connections to remain open for an extended period. This leads to the consumption of file descriptors and server capacity, ultimately denying service to legitimate users. The vulnerability affects Next.js versions 15.0.0 up to 15.5.16 and 16.0.0 up to 16.2.5. The fix implemented involves treating the \u003ccode\u003eNext-Resume\u003c/code\u003e header as internal-only and stripping it from untrusted incoming requests to prevent external manipulation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Next.js application using Partial Prerendering and Cache Components.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeted at a server action endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious POST request includes a \u003ccode\u003eNext-Resume\u003c/code\u003e header, intended to exploit the partial prerendering mechanism.\u003c/li\u003e\n\u003cli\u003eThe Next.js application, upon receiving the crafted request, enters a deadlock state while processing the request body.\u003c/li\u003e\n\u003cli\u003eThe connection remains open and consumes server resources, including file descriptors.\u003c/li\u003e\n\u003cli\u003eThe attacker sends multiple such malicious POST requests concurrently, amplifying the resource consumption.\u003c/li\u003e\n\u003cli\u003eThe server\u0026rsquo;s capacity to handle new connections diminishes due to the exhausted resources.\u003c/li\u003e\n\u003cli\u003eLegitimate users are denied service as the server is unable to accept new connections or process their requests, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44579 leads to a denial-of-service condition, rendering Next.js applications unavailable to legitimate users. The number of victims is directly proportional to the attacker\u0026rsquo;s ability to send concurrent malicious requests and the server\u0026rsquo;s capacity to handle connections. Sectors reliant on Next.js applications for critical services, such as e-commerce, content delivery, and web applications, are particularly vulnerable. The vulnerability can severely impact business operations, causing financial losses, reputational damage, and disruption of services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Next.js to version 15.5.16 or later for the 15.x branch, or version 16.2.5 or later for the 16.x branch, to incorporate the fix for CVE-2026-44579.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, block incoming requests containing the \u003ccode\u003eNext-Resume\u003c/code\u003e header at the edge to prevent exploitation until the upgrade can be performed (see Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Next-Resume Header\u003c/code\u003e to identify potential exploitation attempts by monitoring for the presence of the \u003ccode\u003eNext-Resume\u003c/code\u003e header in incoming HTTP requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for a high volume of POST requests to server action endpoints, which could indicate an attempted denial-of-service attack, and correlate with the \u003ccode\u003eNext-Resume\u003c/code\u003e header to refine detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T15:59:02Z","date_published":"2026-05-11T15:59:02Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nextjs-dos/","summary":"Next.js applications using Partial Prerendering through Cache Components are vulnerable to connection exhaustion (CVE-2026-44579), where crafted POST requests to a server action trigger a request-body handling deadlock, consuming server capacity and leading to denial of service.","title":"Next.js Cache Components Vulnerable to Denial-of-Service via Connection Exhaustion (CVE-2026-44579)","url":"https://feed.craftedsignal.io/briefs/2026-05-nextjs-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["next.js"],"_cs_severities":["high"],"_cs_tags":["ssrf","cve-2026-44578","next.js","websocket","server-side request forgery"],"_cs_type":"advisory","_cs_vendors":["Vercel"],"content_html":"\u003cp\u003eNext.js applications utilizing WebSocket upgrades are susceptible to a server-side request forgery (SSRF) vulnerability. This flaw allows an attacker to craft WebSocket upgrade requests, forcing the server to proxy requests to arbitrary internal or external destinations. This vulnerability is present in self-hosted Next.js applications using the built-in Node.js server. Vercel-hosted deployments are not affected. The vulnerability is present in versions npm/next (\u0026gt;= 13.4.13, \u0026lt; 15.5.16) and npm/next (\u0026gt;= 16.0.0, \u0026lt; 16.2.5). The fix involves applying the same safety checks to WebSocket upgrade handling that already existed for normal HTTP requests, ensuring upgrade requests are only proxied when routing has explicitly marked them as safe external rewrites. This issue is tracked as CVE-2026-44578.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a self-hosted Next.js application utilizing WebSocket upgrades.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious WebSocket upgrade request. This request contains a target destination (internal or external) to which the server will be forced to proxy the request.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted WebSocket upgrade request to the Next.js server.\u003c/li\u003e\n\u003cli\u003eThe Next.js server, lacking proper validation, processes the malicious upgrade request.\u003c/li\u003e\n\u003cli\u003eThe server initiates a connection to the attacker-specified destination.\u003c/li\u003e\n\u003cli\u003eThe server proxies data between the attacker and the target destination.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to internal services, cloud metadata endpoints, or other sensitive resources.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive information or leverages the access for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-44578) can lead to the exposure of internal services, cloud metadata endpoints, or other sensitive resources. Attackers can potentially gain unauthorized access to sensitive data or internal systems, leading to data breaches, privilege escalation, or further compromise of the affected infrastructure. The number of victims and the specific sectors targeted depend on the deployment and configurations of the vulnerable Next.js applications. Vercel-hosted deployments are not affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Next.js to a patched version (\u0026gt;= 15.5.16 or \u0026gt;= 16.2.5) to remediate the vulnerability as described in GHSA-c4j6-fc7j-m34r.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WebSocket Upgrade Requests\u003c/code\u003e to detect potential exploitation attempts by monitoring for suspicious target domains in WebSocket upgrade requests.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not possible, implement the suggested workarounds: do not expose the origin server directly to untrusted networks and block WebSocket upgrades at the reverse proxy or load balancer if they are not required, as described in GHSA-c4j6-fc7j-m34r.\u003c/li\u003e\n\u003cli\u003eRestrict origin egress to internal networks and metadata services where possible, as recommended in GHSA-c4j6-fc7j-m34r.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T15:56:10Z","date_published":"2026-05-11T15:56:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nextjs-ssrf/","summary":"Next.js applications using WebSocket upgrades are vulnerable to server-side request forgery (SSRF) through crafted WebSocket upgrade requests, allowing attackers to proxy requests to internal or external destinations, affecting self-hosted applications running versions npm/next (\u003e= 13.4.13, \u003c 15.5.16) and npm/next (\u003e= 16.0.0, \u003c 16.2.5).","title":"Next.js SSRF Vulnerability via WebSocket Upgrade Requests (CVE-2026-44578)","url":"https://feed.craftedsignal.io/briefs/2026-05-nextjs-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Next.js","version":"https://jsonfeed.org/version/1.1"}