Next.js 15.5.16 and 16.2.5 patch an unauthenticated SSRF vulnerability in the WebSocket upgrade handler that affects every self-hosted build from 13.4.13 onward. A single HTTP request with an absolute-form URL and WebSocket upgrade headers causes the server to proxy internal traffic to any attacker-chosen host on port 80, bypassing routing safety checks that the regular HTTP path already enforced.
The Bug: How an Absolute-Form URL Bypasses Routing Checks
The flaw sits in router-server.ts, where the WebSocket upgrade handler calls resolveRoutes but never checks the finished flag that the standard HTTP request handler uses to abort unsafe requests. According to Bastion’s technical analysis1, the upgrade path destructured values from the routing resolution and proceeded unconditionally, while the HTTP path would have halted on the same input.
An attacker sends a request with an absolute-form URI, Upgrade: websocket, and Connection: Upgrade. The Next.js process treats this as a valid upgrade attempt, issues an internal HTTP GET to the attacker-controlled host on port 80, and returns the response body to the unauthenticated caller. The GitHub security advisory2 confirms this requires no authentication and no prior access to the target application.
Affected Scope: Exposed Self-Hosted Instances
NVD published CVE-2026-445783 on May 13, 2026, with a CVSS 3.1 score of 8.6 (High). The patches arrived two days earlier, on May 11.
Hadrian’s Shodan sampling4 estimates the directly exploitable pool at roughly 79,000 instances. Their methodology4 starts from 740,000 publicly reachable Next.js servers, with about 118,700 directly exposed on port 3000 and 66.7%4 of those running a vulnerable version. That figure is an estimate, not a count of compromised systems.
Exploitation in Practice: Internal Recon and Metadata Extraction
Bastion’s write-up1 documents confirmed exploit targets: cloud metadata endpoints at 169.254.169.254, internal admin panels, and environment-stored API keys. Because the SSRF returns the full HTTP response body to the attacker, a successful request yields the same data an internal service would return to a trusted caller.
The absolute-form URL mechanism is the key. Standard routing checks block relative-path trickery and malformed local requests. The upgrade handler’s omission of the finished flag check strips away that protection without requiring a genuine WebSocket handshake. The server proxies the request and hands back the response.
Why Vercel-Hosted Apps Are Immune
The architectural boundary matters. On Vercel, the WebSocket upgrade is handled at the platform edge before it reaches the Next.js runtime. The framework’s own upgrade code never executes, so the missing finished flag check is moot. This is a self-hosted vulnerability by definition. Teams running next start on their own infrastructure, including containerized deployments and VPS setups, carry the exposure.
The Vibe-Coding Long Tail: Why Patches Lag
The more durable risk is operational, not technical. Much of the exposed pool likely belongs to projects where the framework version was selected by an AI scaffold six months ago and nobody on the team subscribes to Next.js security advisories. There is no automatic patching mechanism for a dependency choice buried in a package.json that no one remembers editing.
This is not a Next.js-specific pathology. Any framework with a long support tail and a self-hosted deployment path creates the same gap when the team that deployed it has moved on. The difference here is the scale of the exposed surface and the triviality of the exploit: one HTTP request, no auth required.
Mitigation: Upgrade, Block, and Monitor
The patched versions are 15.5.16 and 16.2.5, both released May 11, 2026. Self-hosted operators should upgrade immediately. Where patching is delayed, block absolute-form requests with Upgrade: websocket at the edge proxy or WAF. The GitHub advisory2 recommends this as an interim control.
For the long tail of unmaintained deployments, the only practical mitigation is discovery. Scan your own infrastructure for Next.js instances on public IPs, check their versions, and treat anything older than 15.5.16 or 16.2.5 as a priority patch target. That estimate is a measure of exposure, not of attackers’ interest. Both numbers can move quickly.
Frequently Asked Questions
Can this SSRF reach internal services on arbitrary ports?
No. The framework issues a standard HTTP GET constrained to port 80, so databases on 5432, Redis on 6379, and internal APIs on custom ports are not directly reachable through this vector. The reason cloud metadata endpoints are the primary target is that AWS IMDSv1 and GCP metadata both serve on port 80 and are therefore fully within scope.
How does this compare to unrestricted SSRF in severity?
Most server-side request forgery flaws allow targeting arbitrary host
combinations. CVE-2026-44578 is scoped to port 80 only, which narrows the blast radius relative to an unrestricted SSRF. However, the port-80 constraint is still sufficient for metadata credential theft on all three major clouds, which is the highest-value single-request exploitation path in most environments.How long was the vulnerable code path present before discovery?
The missing finished flag check in the WebSocket upgrade handler has existed since Next.js 13.4.13, meaning the flaw sat undetected across multiple major versions for roughly three years. That gap between introduction and disclosure is unusually long for a CVSS 8.6 issue in a framework with millions of weekly npm downloads.
Will a generic SSRF WAF rule catch the exploit?
Not reliably. The attack uses an absolute-form request target with standard WebSocket upgrade headers — all valid per RFC 7230 and RFC 6455. WAF signatures that look for URL-encoded internal IPs or suspicious query parameters will miss it. Effective detection requires matching the combination of an absolute-form URI line with both Upgrade: websocket and Connection: Upgrade headers present.