Critical Next.js Vulnerability Exposes Cloud Credentials and API Keys
Key Takeaways A critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-44578, has been discovered in Next.js applications. The flaw allows attackers to steal cloud credentials, API keys,...
Key Takeaways
- A critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-44578, has been discovered in Next.js applications.
- The flaw allows attackers to steal cloud credentials, API keys, and access internal systems by tricking the Next.js Node.js server into acting as a proxy.
- Only self-hosted Next.js applications using the default Node.js server are affected; Vercel-hosted applications are not vulnerable.
- Patches are available in Next.js versions 15.5.16 and 16.2.5, and immediate upgrade is strongly recommended.
Critical Next.js Flaw Puts Cloud Credentials at Risk
A severe security vulnerability has been identified in Next.js, posing a substantial risk to self-hosted web applications. This flaw could enable threat actors to execute significant data breaches by exploiting a Server-Side Request Forgery (SSRF) vulnerability.
Table Of Content
Exploitation of this critical flaw allows attackers to surreptitiously exfiltrate cloud credentials, harvest sensitive API keys, and gain unauthorized access to internal administrative panels. Organizations utilizing self-hosted Next.js environments are urged to apply patches without delay to prevent adversaries from infiltrating their internal networks.
Understanding the Vulnerability: CVE-2026-44578
Designated as CVE-2026-44578, the vulnerability stems from how the integrated Next.js Node.js server processes WebSocket upgrade requests. Malicious actors can craft specific WebSocket requests that manipulate the server into functioning as an unwitting proxy.
This deception forces the server to forward these malevolent requests to arbitrary internal or external destinations. Since the server itself initiates these requests, it effectively bypasses perimeter firewalls. This privileged position can then be leveraged by attackers to query internal network services, access unprotected administration dashboards, or reach cloud metadata endpoints.
Cloud metadata endpoints are particularly attractive targets due to their common storage of ephemeral IAM credentials, API tokens, and deployment secrets, which are crucial for deeper network penetration.
Affected Environments and Remediation
This SSRF vulnerability exclusively impacts Next.js applications that are self-hosted and rely on the default Node.js server. Crucially, applications deployed on Vercel’s infrastructure are not susceptible to this exploit, as Vercel does not employ the vulnerable WebSocket routing implementation.
For those managing their own infrastructure, it is imperative to verify the Next.js version in use. The vulnerability affects two distinct release tracks within the Next.js ecosystem. The Next.js maintenance team has issued security patches that introduce stringent safety checks for WebSocket upgrade handling. The server will now only proxy upgrade requests if routing configurations explicitly designate them as safe external rewrites.
According to Tim Neutkens, who disclosed GHSA-c4j6-fc7j-m34r on GitHub, developers should upgrade to Next.js 15.5.16 or 16.2.5 immediately. In scenarios where immediate patching is not feasible, network-level protective measures are advised.
What You Should Do
- Upgrade Next.js: Immediately update your self-hosted Next.js applications to version 15.5.16 or 16.2.5 to apply the necessary security patches.
- Implement Network Protections: If immediate patching is not possible, configure reverse proxies or load balancers to block all WebSocket upgrade requests, especially if your application does not actively utilize them.
- Restrict Outbound Traffic: Enhance security by restricting the origin server’s outbound network traffic, specifically blocking access to internal cloud metadata services and any unrelated internal networks.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.