Latest Vercel Next.js vulnerability: CVE-2026-44578 #
Vercel disclosed that self-hosted Next.js applications using the built-in Node.js server are vulnerable to server-side request forgery (SSRF) within the WebSocket upgrade handling mechanism. A remote, unauthenticated attacker can exploit this flaw by sending crafted WebSocket upgrade requests. Successful exploitation allows the server to proxy requests to arbitrary internal or external destinations. This can expose sensitive internal services or cloud infrastructure endpoints, such as the Instance Metadata Service (IMDS), a local HTTP endpoint used by virtual machines to retrieve configurations, IP addresses, and IAM roles via a link-local address. This vulnerability has been designated CVE-2026-44578 and has been rated high with a CVSS score of 8.6.
The following versions are affected:
- Next.js 13, 14, and 15: Versions 13.4.13 through 15.5.15
- Next.js 16: Versions 16.0.0 through 16.2.4
What is Vercel Next.js? #
Next.js, an open-source React framework developed by Vercel, provides structure, routing, and rendering solutions for building full-stack web applications.
What is the impact? #
Successful exploitation of this vulnerability would allow an attacker to proxy requests to arbitrary internal or external destinations, potentially exposing sensitive internal services or cloud infrastructure endpoints.
Are updates or workarounds available? #
Users are encouraged upgrade affected systems to the following versions:
- Next.js 13.x, 14.x, and 15.x: Upgrade to version 15.5.16 or later.
- Next.js 16.x: Upgrade to version 16.2.5 or later.
How to find potentially vulnerable systems with runZero #
From the Software Inventory, use the following query to locate potentially impacted assets:
vendor:=Vercel AND product:="Next.js"December 2025: CVE-2025-55182 #
React disclosed a remote code execution (RCE) vulnerability in React Server Components that affects the React packages react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in versions 19.0.0 through 19.2.0, as well as frameworks that use them, such as Next.js. The upstream vulnerability has been designated CVE-2025-55182 and has been rated critical with a CVSS score of 10.0. Next.js also disclosed the downstream RCE vulnerability impacting applications using the App Router.
This flaw stems from an issue in how React decodes payloads sent to React Server Function endpoints (used by client components to call async functions on the server). Successful exploitation allows a remote, unauthenticated adversary to send a specially crafted request and subsequently execute arbitrary code on the server.
There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- Next.js 14.3.x versions 14.3.0-canary.77 and greater
- Next.js 15.0.x versions prior to 15.0.5
- Next.js 15.1.x versions prior to 15.1.9
- Next.js 15.2.x versions prior to 15.2.6
- Next.js 15.3.x versions prior to 15.3.6
- Next.js 15.4.x versions prior to 15.4.8
- Next.js 15.5.x versions prior to 15.5.7
- Next.js 16.0.x versions prior to 16.0.7
What is the impact? #
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- Next.js 15.0.x upgrade to version 15.0.5 or later
- Next.js 15.1.x upgrade to version 15.1.9 or later
- Next.js 15.2.x upgrade to version 15.2.6 or later
- Next.js 15.3.x upgrade to version 15.3.6 or later
- Next.js 15.4.x upgrade to version 15.4.8 or later
- Next.js 15.5.x upgrade to version 15.5.7 or later
- Next.js 16.0.x upgrade to version 16.0.7 or later
Note: Users of Next.js 14.3.x experimental canary releases should downgrade specifically to version 14.3.0-canary.76 or a 14.x stable release.
How to find potentially vulnerable systems with runZero #
From the Software Inventory, use the following query to locate potentially impacted assets:
(vendor:=Zeit OR vendor:=Vercel) AND (product:=Next.Js OR product:=Next.js)
