CVE-2026-44578

Vercel · Next.js

A Server-Side Request Forgery (SSRF) vulnerability in Vercel Next.js allows unauthenticated attackers to perform unauthorized requests from the server.

Executive summary

A critical Server-Side Request Forgery (SSRF) vulnerability in Next.js allows unauthenticated attackers to force the server to make unauthorized requests, potentially leading to information disclosure.

Vulnerability

This is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) that allows remote, unauthenticated attackers to cause the server to send requests to arbitrary destinations. The CVSS vector indicates no user interaction or privileges are required (AV:N/PR:N/UI:N).

Business impact

The vulnerability poses a severe risk as it can be used to bypass network firewalls, access internal metadata services (like AWS/GCP instance metadata), or interact with internal APIs that are not publicly exposed. With a CVSS score of 8.6, this flaw represents a significant threat to internal infrastructure and sensitive environment configurations.

Remediation

Immediate Action: Update to Next.js version 15.5.16 or 16.2.5 immediately to resolve the SSRF flaw.

Proactive Monitoring: Monitor outgoing server traffic for connections to unexpected internal IP ranges or unauthorized external domains.

Compensating Controls: Implement strict egress filtering at the network level to restrict the server from accessing internal management interfaces or metadata endpoints.

Exploitation status

Public Exploit Available: Yes — Multiple public proof-of-concept repositories exist on GitHub.

Analyst recommendation

This is a high-priority vulnerability due to its ease of exploitation (unauthenticated) and the availability of public PoC code. Organizations running affected versions of Next.js must expedite the patching process and audit their egress network policies to mitigate the impact of potential SSRF attempts.