Fluid Attacks Database

Description

A flaw was found in Next.js. Self-hosted applications utilizing the built-in Node.js server are vulnerable to Server-Side Request Forgery (SSRF) through specially crafted WebSocket upgrade requests. A remote attacker can exploit this by causing the server to proxy requests to arbitrary internal or external destinations. This could lead to the exposure of internal services or sensitive cloud metadata endpoints.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	next	>=13.4.13 <15.5.16 \|\| >=16.0.0 <16.2.5	15.5.16, 16.2.5
rpm rhel8	thunderbird	-	-
rpm rhel8	firefox	-	-
rpm rhel9	firefox	-	-
rpm rhel10	thunderbird	-	-
rpm rhel9	thunderbird	-	-
rpm rhel10	firefox	-	-
rpm rhel7	firefox	-	-

Aliases

1. CVE-2026-445782. NVD-2026-445783. OSV-2026-445784. GHSA-c4j6-fc7j-m34r5. GCVE-2026-44578

References

1. https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r2. https://github.com/vercel/next.js/releases/tag/v15.5.163. https://github.com/vercel/next.js/releases/tag/v16.2.54. https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2026/CVE-2026-44578.yaml5. https://github.com/panchocosil/verify-ghsa-c4j6-fc7j-m34r

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.