{"uuid": "e4d2a062-f062-4c9a-86b9-77db71f47033", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "seen", "source": "https://gist.github.com/leedc0101/2125a81a4a6c9a3e8ceb67fea7454149", "content": "# Server-side request forgery in applications using WebSocket upgrades\n\n- \uc6d0\ubb38 \uc81c\ubaa9: Server-side request forgery in applications using WebSocket upgrades\n- \uc6d0\ubb38 \ub9c1\ud06c: https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r\n- \ubc88\uc5ed\uc77c: 2026-05-17 KST\n\n## \ud55c\uad6d\uc5b4 \ubc88\uc5ed\n\nNext.js\uc758 \uc790\uccb4 \ud638\uc2a4\ud305 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \uc911, \uae30\ubcf8 Node.js \uc11c\ubc84\ub97c \uc0ac\uc6a9\ud558\uace0 WebSocket upgrade \uc694\uccad\uc744 \ubc1b\ub294 \uad6c\uc131\uc774 \uc11c\ubc84 \uc0ac\uc774\ub4dc \uc694\uccad \uc704\uc870(SSRF)\uc5d0 \ucde8\uc57d\ud560 \uc218 \uc788\ub2e4\ub294 \ubcf4\uc548 \uad8c\uace0\uac00 \uacf5\uac1c\ub410\ub2e4. \uacf5\uaca9\uc790\ub294 \uc870\uc791\ub41c WebSocket upgrade \uc694\uccad\uc744 \uc774\uc6a9\ud574 \uc11c\ubc84\uac00 \uc784\uc758\uc758 \ub0b4\ubd80 \ub610\ub294 \uc678\ubd80 \ubaa9\uc801\uc9c0\ub85c \uc694\uccad\uc744 \ud504\ub85d\uc2dc\ud558\ub3c4\ub85d \ub9cc\ub4e4 \uc218 \uc788\ub2e4. \uc774 \uacbd\uc6b0 \ub0b4\ubd80 \uc11c\ube44\uc2a4\ub098 \ud074\ub77c\uc6b0\ub4dc \uba54\ud0c0\ub370\uc774\ud130 \uc5d4\ub4dc\ud3ec\uc778\ud2b8\uac00 \ub178\ucd9c\ub420 \uc704\ud5d8\uc774 \uc788\ub2e4.\n\n\uc601\ud5a5\uc744 \ubc1b\ub294 \ud328\ud0a4\uc9c0\ub294 npm\uc758 `next`\uc774\uba70, \uc601\ud5a5 \ubc84\uc804\uc740 `>=13.4.13 <15.5.16` \uadf8\ub9ac\uace0 `>=16.0.0 <16.2.5`\ub2e4. \ud328\uce58 \ubc84\uc804\uc740 `15.5.16`, `16.2.5`\ub2e4. Vercel\uc5d0 \ubc30\ud3ec\ub41c \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc740 \uc601\ud5a5\uc744 \ubc1b\uc9c0 \uc54a\ub294\ub2e4\uace0 \uba85\uc2dc\ub418\uc5b4 \uc788\ub2e4. \ud575\uc2ec \ub9ac\uc2a4\ud06c\ub294 \u201c\uc790\uccb4 \ud638\uc2a4\ud305 + \ub0b4\uc7a5 Node.js \uc11c\ubc84 + WebSocket upgrade \ub178\ucd9c\u201d \uc870\ud569\uc774\ub2e4.\n\n\uc218\uc815 \uc0ac\ud56d\uc740 \uae30\uc874 \uc77c\ubc18 HTTP \uc694\uccad\uc5d0 \uc801\uc6a9\ub418\ub358 \uc548\uc804\uc131 \uac80\uc0ac\ub97c WebSocket upgrade \ucc98\ub9ac\uc5d0\ub3c4 \ub3d9\uc77c\ud558\uac8c \uc801\uc6a9\ud558\ub294 \uac83\uc774\ub2e4. \uc774\uc81c upgrade \uc694\uccad\uc740 \ub77c\uc6b0\ud305\uc774 \uba85\uc2dc\uc801\uc73c\ub85c \uc548\uc804\ud55c \uc678\ubd80 rewrite\ub85c \ud45c\uc2dc\ud55c \uacbd\uc6b0\uc5d0\ub9cc \ud504\ub85d\uc2dc\ub41c\ub2e4.\n\n\uc989\uc2dc \uc5c5\uadf8\ub808\uc774\ub4dc\ud560 \uc218 \uc5c6\ub2e4\uba74, origin \uc11c\ubc84\ub97c \uc2e0\ub8b0\ud560 \uc218 \uc5c6\ub294 \ub124\ud2b8\uc6cc\ud06c\uc5d0 \uc9c1\uc811 \ub178\ucd9c\ud558\uc9c0 \uc54a\ub294 \uac83\uc774 \uc6b0\uc120\uc774\ub2e4. WebSocket upgrade\uac00 \ud544\uc694 \uc5c6\ub2e4\uba74 reverse proxy \ub610\ub294 load balancer\uc5d0\uc11c \ud574\ub2f9 \uc694\uccad\uc744 \ucc28\ub2e8\ud55c\ub2e4. \ub610\ud55c origin \uc11c\ubc84\uac00 \ub0b4\ubd80\ub9dd\uc774\ub098 \ud074\ub77c\uc6b0\ub4dc \uba54\ud0c0\ub370\uc774\ud130 \uc11c\ube44\uc2a4\ub85c \uc790\uc720\ub86d\uac8c egress\ud558\uc9c0 \ubabb\ud558\ub3c4\ub85d \uc81c\ud55c\ud558\ub294 \ubc29\uc5b4\uac00 \ud544\uc694\ud558\ub2e4.\n\n\ucde8\uc57d\uc810\uc758 \uc2ec\uac01\ub3c4\ub294 High, CVSS 8.6\uc774\ub2e4. \uacf5\uaca9 \ubca1\ud130\ub294 \ub124\ud2b8\uc6cc\ud06c, \uacf5\uaca9 \ubcf5\uc7a1\ub3c4\ub294 \ub0ae\uace0, \uad8c\ud55c\uc774\ub098 \uc0ac\uc6a9\uc790 \uc0c1\ud638\uc791\uc6a9\uc774 \ud544\uc694 \uc5c6\ub2e4. \uae30\ubc00\uc131 \uc601\ud5a5\uc774 \ub192\uac8c \ud3c9\uac00\ub418\uc5b4 \uc788\ub2e4. CVE ID\ub294 `CVE-2026-44578`\uc774\ub2e4.\n\n\ud504\ub860\ud2b8\uc5d4\ub4dc \ud300 \uad00\uc810\uc5d0\uc11c\uc758 \uccb4\ud06c\ud3ec\uc778\ud2b8\ub294 \ub2e8\uc21c\ud558\ub2e4. Next.js\ub97c \uc790\uccb4 \ud638\uc2a4\ud305\ud55c\ub2e4\uba74 \ud604\uc7ac \ubc84\uc804\uc744 \ud655\uc778\ud558\uace0, \uac00\ub2a5\ud55c \ud55c `15.5.16` \ub610\ub294 `16.2.5` \uc774\uc0c1\uc73c\ub85c \uc62c\ub9b0\ub2e4. \ud2b9\ud788 Cloud Run, ECS, EC2, Kubernetes, bare Node \uc11c\ubc84\ucc98\ub7fc Vercel \ubc16\uc5d0\uc11c Next.js\ub97c \uc6b4\uc601\ud558\ub294 \ud300\uc740 WebSocket upgrade \uacbd\ub85c\uac00 \uc5f4\ub824 \uc788\ub294\uc9c0 reverse proxy \uc124\uc815\uae4c\uc9c0 \uac19\uc774 \ud655\uc778\ud574\uc57c \ud55c\ub2e4. \ubcf4\uc548 \ud328\uce58\ub294 \u201c\ud504\ub860\ud2b8 \ud504\ub808\uc784\uc6cc\ud06c \ubc84\uc804 \uc5c5\u201d\ucc98\ub7fc \ubcf4\uc5ec\ub3c4 \uc2e4\uc81c \uc601\ud5a5 \ubc94\uc704\ub294 \uc778\ud504\ub77c\uc640 \ub124\ud2b8\uc6cc\ud06c \uacbd\uacc4\uae4c\uc9c0 \uc774\uc5b4\uc9c4\ub2e4.\n", "creation_timestamp": "2026-05-17T01:29:38.000000Z"}