explaingit

deathshotxd/nextpulse

1PythonAudience · ops devopsComplexity · 3/5ActiveLicenseSetup · easy

TLDR

Python CLI for authorized security testers that probes Next.js sites for CVE-2026-44578 SSRF via WebSocket upgrades, then extracts cloud metadata credentials when vulnerable.

Mindmap

mindmap
  root((NextPulse))
    Inputs
      Target URL or list
      AWS Azure GCP flags
    Outputs
      Vulnerability report
      Extracted credentials
      JSON results
    Use Cases
      Bug bounty triage
      Red team SSRF chains
      Mass scanning targets
    Tech Stack
      Python
      Requests
      WebSockets
      CLI

Things people build with this

USE CASE 1

Confirm CVE-2026-44578 exposure on a Next.js app in scope for a bug bounty program.

USE CASE 2

Run a mass scan of authorized targets from a file and save findings to JSON.

USE CASE 3

Demonstrate SSRF impact by retrieving cloud metadata credentials during a red team exercise.

USE CASE 4

Teach a class on SSRF using a known vulnerable Next.js build.

Tech stack

PythonRequestsWebSockets

Getting it running

Difficulty · easy Time to first run · 30min

Only legal against systems you are authorized to test; requires Python 3.10+.

MIT license, free to use, modify, and redistribute with attribution; usage is restricted by the author to authorized testing only.

In plain English

NextPulse is a Python command line tool used by security researchers and bug bounty hunters to probe websites built with Next.js, a popular web framework. It targets a specific published vulnerability, tracked as CVE-2026-44578, in how certain versions of Next.js handle WebSocket upgrade requests. The README lists the exact version ranges that are affected, between Next.js 13.4.13 and 15.5.15 and between 16.0.0 and 16.2.4, and the fixed releases that close the issue. The vulnerability is a class of bug called Server Side Request Forgery, or SSRF, which tricks the website's own server into making outbound requests on the attacker's behalf. The most damaging use of this is reaching internal cloud metadata endpoints, special addresses inside Amazon Web Services, Azure, Google Cloud, and similar platforms that hand out temporary credentials to anything that asks from the right network position. NextPulse automates each step: it fingerprints the target, confirms whether the bug is present, sends the malformed upgrade request, and pulls back credentials from the cloud provider. The tool can be driven in a single scan, in an interactive shell with commands like aws, azure, and url, or as a mass scanner reading a list of targets from a file or a pipe. Output can be saved to JSON for later review. The author explicitly limits the intended use to authorized testing, bug bounty programs, red team work, and education, and includes a section of defensive guidance for the operators of vulnerable sites. The project requires Python 3.10 or newer and is released under the MIT license.

Copy-paste prompts

Prompt 1
Install NextPulse on Python 3.11 and run a single-target scan against a Next.js test app I control.
Prompt 2
Use NextPulse interactive mode to test only the AWS metadata path against a list of in-scope domains.
Prompt 3
Run NextPulse in mass mode against a file of authorized targets and write all hits to JSON.
Prompt 4
Show me how the WebSocket upgrade payload in NextPulse triggers CVE-2026-44578 and which Next.js versions it targets.
Prompt 5
Write a defensive checklist based on NextPulse output that an operator could use to patch and detect this SSRF.
Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.