VYPR
High severity8.6GHSA Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-44578

CVE-2026-44578

Description

Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nextnpm
>= 13.4.13, < 15.5.1615.5.16
nextnpm
>= 16.0.0, < 16.2.516.2.5

Affected products

4
  • Vercel/Next.jsGHSA2 versions
    >= 16.0.0, < 16.2.5+ 1 more
    • (no CPE)range: >= 16.0.0, < 16.2.5
    • cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*range: >=13.4.13,<15.5.16
  • osv-coords2 versions
    < 0.51.0-r7+ 1 more
    • (no CPE)range: < 0.51.0-r7
    • (no CPE)range: >= 13.4.13, < 15.5.16

Patches

Vulnerability mechanics

References

5

News mentions

2