🔴 CVSS Score: 8.6 (High) · Affects: Next.js 13.4.13 – 15.5.15 and 16.0.0 – 16.2.4 on self-hosted
next start
· EOL: Next.js 13.x (December 2024), Next.js 14.x (October 2025) · Patch available: Never for EOL branches
CVE-2026-44578 Nextjs 14.2.35 is an unauthenticated SSRF risk with no vendor patch path for EOL 13.x and 14.x branches. If your team runs self-hosted Next.js on 13.x or 14.x, you are exposed to CVE-2026-44578 with no vendor patch path. Attackers can send unauthenticated WebSocket upgrade requests and force your Node.js process to proxy internal HTTP GET targets, including 169.254.169.254. You need compensating controls now and a supported-version migration path immediately.
Use these dofollow references for validation and response playbooks: Next.js Support Policy, NVD CVE-2026-44578, and Next.js lifecycle status. For related coverage on your own site, link readers to CVE Watch, Migration Guides, and Deprecation Watch.
CVE-2026-44578 Nextjs 14.2.35 Vulnerability Summary
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-44578 |
| CVSS Score | 8.6 (High) |
| Attack Vector | WebSocket HTTP Upgrade |
| Authentication Required | None |
| Affected Versions | 13.4.13 – 15.5.15; 16.0.0 – 16.2.4 |
| Patched Versions | 15.5.16; 16.2.5 |
| EOL Branches Called Out in Draft | 13.x (EOL December 2024), 14.x (EOL October 2025) |
| Patch Available for EOL Branches | No – version is EOL |
| Vercel Managed Deployments | Unaffected by this specific SSRF vector |
| Mitigation Available | Yes – upgrade, ingress filtering, egress controls, IMDS hardening, detection |
| Related CVE | CVSS | Primary Vector | Vulnerable Versions (from raw draft) | Patched Versions (from raw draft) | Key Constraint |
|---|---|---|---|---|---|
| CVE-2026-44575 | 8.2 | Route segment prefetch auth bypass | 15.2.0 – 15.5.15; 16.0.0 – 16.2.4 | 15.5.16; 16.2.5 | App Router + middleware.ts auth |
| CVE-2026-45109 | 7.5 | Turbopack middleware bypass | 15.2.0 – 15.5.17; 16.0.0 – 16.2.5 | 15.5.18; 16.2.6 | Turbopack builds |
| CVE-2026-44574 | 8.1 | Dynamic route parameter injection | 15.4.0 – 15.5.15; 16.0.0 – 16.2.4 | 15.5.16; 16.2.5 | Dynamic routes with middleware checks |
| CVE-2026-23870 | 7.5 | RSC DoS via malformed payloads | 13.x, 14.x, 15.x, 16.x | 15.5.16; 16.2.5 | React Server Components/server functions |
| CVE-2026-44581 | 4.7 | Stored XSS via CSP nonce poisoning | 13.4.0 – 15.5.15; 16.0.0 – 16.2.4 | 15.5.16; 16.2.5 | Dynamic CSP nonce + shared CDN |
| CVE-2026-44580 | 6.1 | XSS in beforeInteractive strategy | Included in May 2026 disclosure cluster | Included in May 2026 patch releases | Script rendering path |
| CVE-2026-44582 | 3.7 | _rsc cache poisoning | Included in May 2026 disclosure cluster | Included in May 2026 patch releases | CDN cache collision behavior |
| CVE-2026-27977 | Not Rated | HMR bypass (Origin: null) | 13.x, 14.x, 15.x, 16.x | 16.1.7 | next dev exposed to untrusted origins |
| CVE-2025-29927 | N/A in raw draft | Auth bypass via x-middleware-subrequest | Earlier foundational disclosure | N/A in raw draft | Middleware pipeline handling |
| CVE-2025-55182 | N/A in raw draft | Unauthenticated App Router RCE | Earlier foundational disclosure | N/A in raw draft | App Router endpoint exposure |
| CVE-2025-13984 | 6.1 | XSS in Drupal Next.js module | Earlier foundational disclosure | N/A in raw draft | Permissive cross-domain integration |
What the Vulnerability Does
The CVE-2026-44578 Nextjs 14.2.35 SSRF sits in packages/next/src/server/lib/router-server.ts in the WebSocket upgrade handling path. The standard HTTP flow checks both request completion state and protocol, but the upgrade path checks protocol only. That mismatch lets an unauthenticated actor craft Connection: Upgrade and Upgrade: websocket traffic that triggers internal proxying behavior.
In production, this can expose internal admin routes, internal microservices, Docker bridge targets, and cloud metadata endpoints. In Kubernetes, the same flaw can target https://kubernetes.default.svc or east-west service ports if your network controls are weak. If your node can still query IMDS without IMDSv2 enforcement, attackers can pull temporary IAM credentials and pivot.
The same disclosure window also includes bypass and availability risks you cannot ignore. App Router prefetch and .rsc transport variants can bypass middleware auth checks (CVE-2026-44575), and Turbopack-specific execution paths stayed bypassable after an initial fix (CVE-2026-45109). RSC deserialization flaws can trigger CPU and memory exhaustion (CVE-2026-23870), while CSP nonce handling and cache-token behavior introduce stored XSS and cache poisoning paths (CVE-2026-44581, CVE-2026-44582).
Are You Affected?
# Identify exact framework and environment details
npx next info
# Confirm deployed Next.js version range
npm ls next
# Check RSC package exposure tied to DoS disclosures
npm ls react-server-dom-webpack
npm ls react-server-dom-turbopack
# Find middleware-centric auth controls (high bypass risk)
find . -name "middleware.ts" -o -name "middleware.js"# Find CSP nonce and header-driven CSP generation points
grep -rn "nonce" src/
grep -rn "Content-Security-Policy" src/If you run self-hosted next start in the affected ranges, you are in scope for CVE-2026-44578. If your auth model depends primarily on middleware.ts, you are also in scope for CVE-2026-44575 and CVE-2026-45109 bypass behavior. Treat CVE-2026-44578 Nextjs 14.2.35 as an immediate production hardening trigger.
Why There Is No Patch Coming
Your patch path depends on support lifecycle, not intent. The raw draft states Next.js 13.x is EOL as of December 2024 and 14.x is EOL as of October 2025, and those branches do not receive official security backports. Vercel-managed hosting avoids this specific SSRF vector, but that does not remove bypass and DoS exposure for other CVEs in the same period.
If you are on 13.x or 14.x, your operational choice is clear: harden aggressively now, then migrate. Treat this as both a security incident and a compliance issue under SOC 2 CC6.1/CC7.1, PCI-DSS 4.0 section 6.3.3, and ISO 27001:2022 Annex A 8.8, as described in the raw draft.
Immediate Mitigations
Option 1 — Upgrade to Supported Version (Recommended)
Use patched supported branches now:
- Upgrade to 15.5.16 or 16.2.5 for baseline May 2026 fixes, including SSRF.
- Upgrade to 15.5.18 or 16.2.6 to cover the Turbopack bypass fix gap.
- If you cannot move off 13.x/14.x in one change window, isolate and harden while you stage migration.
Option 2 — Network-Level Mitigation
Drop unnecessary upgrade traffic at ingress and constrain egress from application pods.
# NGINX mitigation for CVE-2026-44578
server {
listen 80;
server_name application.internal;
location / {
proxy_pass http://localhost:3000;
# Strip upgrade headers if your app does not require WebSockets
proxy_set_header Upgrade "";
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}# Kubernetes NetworkPolicy for Next.js egress lockdown
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restrict-nextjs-egress
namespace: production
spec:
podSelector:
matchLabels:
app: nextjs-frontend
policyTypes:
- Egress
egress:
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
- to:
- namespaceSelector:
matchLabels:
name: backend-servicesEnforce IMDSv2 on AWS nodes. The draft states this SSRF path is GET-only, which blocks the PUT-token requirement for IMDSv2.
Option 3 — Detection
Detect execution and bypass attempts at multiple layers:
- Monitor for
Upgrade: websocketon routes not designed for WebSockets. - Alert on outbound Node.js connections to
169.254.169.254and unexpected RFC1918/internal ranges. - Flag the log fingerprint
Failed to proxy http:/for SSRF path execution. - Alert on
200 OKto protected.rsc/prefetch route variants without valid session context. - Monitor CDN analytics for concentrated
_rsckey collisions and response-size variance on identical keys.
Upgrade Path
- Inventory every Next.js deployment and classify by hosting model: Vercel-managed, self-hosted VM, Docker, Kubernetes, edge runtime.
- Prioritize internet-facing self-hosted services and apply ingress + egress mitigations within 24 hours.
- Enforce IMDSv2 and block metadata endpoint access from application workloads.
- Upgrade branches to 15.5.18 or 16.2.6 and validate all environment-specific build paths, including Turbopack.
- Move authorization checks from edge-only
middleware.tsinto route handlers and data-access boundaries for defense in depth. - Invalidate CDN cache immediately if you generate dynamic CSP nonces from request headers.
- Add SIEM/APM detections for missing middleware spans,
.rscanomalies, and suspicious upgrade traffic.
If you cannot upgrade today, implement two controls now: strip unneeded WebSocket upgrade headers at ingress and lock outbound egress from Next.js workloads. Then schedule the supported-version migration as your next production change for CVE-2026-44578 Nextjs 14.2.35.