Next.js 13.4.13 < 15.5.16 Server-Side Request Forgery

high Web App Scanning Plugin ID 115241

Language:

Synopsis

Next.js 13.4.13 < 15.5.16 Server-Side Request Forgery

Description

The version of Next.js installed on the remote host is 13.4.13 prior to 15.5.16 or 16.0.0 prior to 16.2.5. It is, therefore, affected by a Server-Side Request Forgery vulnerability in the WebSocket upgrade handler that allows unauthenticated GET-only SSRF to any host on port 80 reachable from the server.

Note that the scanner has not attempted to exploit this issue but has instead relied only on application's self-reported version number.

Solution

Upgrade to Next.js version 15.5.16 or later.

See Also

https://github.com/advisories/GHSA-c4j6-fc7j-m34r

https://hadrian.io/blog/next-js-websocket-ssrf-unauthenticated-access-to-internal-resources-cve-2026-44578-2

Plugin Details

Severity: High

ID: 115241

Type: Version Based

Family: Component Vulnerability

Published: 5/20/2026

Updated: 5/20/2026

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 7.9

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-44578

CVSS v3

Risk Factor: High

Base Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS Score Source: CVE-2026-44578

Vulnerability Information

CPE: cpe:2.3:a:vercel:next.js:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/6/2026

Reference Information

CVE: CVE-2026-44578

CWE: 918

OWASP: 2010-A6, 2013-A5, 2013-A9, 2017-A6, 2017-A9, 2021-A10, 2021-A6, 2025-A1, 2025-A6

WASC: Application Misconfiguration

DISA STIG: APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b

OWASP API: 2019-API7, 2023-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.2.6

PCI-DSS: 3.2-6.2, 3.2-6.5.9