By rssfeeds-admin Tracked as CVE-2026-44578 with a CVSS score of 8.6, the flaw targets a critical weakness in how self-hosted Next.js applications handle WebSocket upgrade requests, opening the door to server-side request forgery (SSRF) attacks.
Critical Next.js Flaw
According to a GitHub advisory published by Next.js maintainer Tim Neutkens, the vulnerability stems from improper validation during WebSocket upgrade handling.
Attackers can craft malicious WebSocket upgrade requests that trick the server into forwarding traffic to unintended internal destinations, including cloud infrastructure endpoints and metadata APIs that store highly sensitive data such as IAM credentials and access tokens.
What makes this especially alarming is that exploitation requires no authentication and no user interaction.
Any publicly accessible Next.js deployment running on the built-in Node.js server is potentially exposed.
The vulnerability affects the following versions:
- 13.4.13 through 15.5.15
- 16.0.0 through 16.2.4
One of the most dangerous exploitation scenarios involves cloud metadata endpoints. An attacker targeting an AWS-hosted application, for example, could abuse the SSRF condition to query the instance metadata service and silently retrieve temporary IAM credentials.
These credentials can then be used to escalate privileges or move laterally within an organization’s cloud environment, all without triggering standard authentication alerts.
Organizations running on Vercel are not affected, as the platform implements additional request routing safeguards. However, teams managing their own infrastructure face significant exposure.
Patches and Mitigations
The Next.js security team has responded quickly, releasing patched versions 15.5.16 and 16.2.5.
These updates introduce stricter validation for WebSocket upgrade requests, ensuring only explicitly trusted external rewrites are permitted, bringing WebSocket handling in line with existing HTTP security controls.
For organizations that cannot patch immediately, the following mitigations are strongly recommended:
- Avoid exposing origin servers directly to the internet
- Block unnecessary WebSocket upgrade requests at reverse proxies or load balancers
- Restrict outbound traffic to sensitive internal endpoints and cloud metadata services
- Review network architecture for unintended internal service exposure
This incident reflects a broader and concerning trend: modern web frameworks are increasingly becoming high-value attack targets due to their deep integration with backend infrastructure and cloud services.
As SSRF vulnerabilities continue to grow in sophistication, security teams must enforce stricter network controls and input validation at every layer.
Organizations running Next.js in production should treat this as a priority patch and conduct a thorough review of their cloud credential exposure and internal network boundaries.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Critical Next.js Flaw Exposes Cloud Credentials, API Keys, and Admin Panels appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.