Critical Next.js Flaw Exposes Cloud Vulnerability Credentials

A critical, high-severity vulnerability has been identified in Next.js, posing a significant threat to self-hosted web applications. Exploitation of this flaw could lead to severe data breaches.

Threat actors can now exploit a Server-Side Request Forgery (SSRF) flaw to silently steal cloud credentials, harvest API keys, and access sensitive internal admin panels.

Organizations running self-hosted Next.js environments must patch immediately to prevent attackers from pivoting into their internal networks.

Next.js Flaw Exposes Credentials

The vulnerability, tracked as CVE-2026-44578, originates in how the built-in Next.js Node.js server handles WebSocket upgrade requests.

Attackers can send specially crafted WebSocket requests that trick the server into acting as a proxy. This forces the server to forward malicious requests to arbitrary internal or external destinations.

Because the server itself executes the request, it bypasses external firewalls. Attackers can use this trusted position to query internal network services, access unprotected admin dashboards, or reach cloud metadata endpoints.

Cloud metadata endpoints are particularly valuable targets because they often store temporary IAM credentials, API tokens, and deployment secrets.

This SSRF vulnerability strictly impacts self-hosted Next.js applications relying on the default Node.js server.

If your application runs on Vercel, you remain completely safe from this exploit. The Vercel infrastructure does not utilize the vulnerable WebSocket routing implementation.

If you manage your own infrastructure, you must verify your Next.js version. The flaw affects two distinct release tracks in the Next.js ecosystem.

The Next.js maintenance team has released security patches that apply strict safety checks to WebSocket upgrade handling.

The server now only proxies upgrade requests when routing configurations explicitly mark them as safe external rewrites.

Tim Neutkens disclosed GHSA-c4j6-fc7j-m34r on GitHub, advising developers to upgrade to Next.js 15.5.16 or 16.2.5 immediately. Where patching isn’t possible, network-level protections are recommended.

Administrators should configure reverse proxies or load balancers to block all WebSocket upgrade requests if the application does not actively use them.

Additionally, security teams must restrict the origin server’s outbound traffic, completely blocking access to internal cloud metadata services and unrelated internal networks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.