explaingit

dinosn/cve-2026-44578

Analysis updated 2026-05-18

3PythonAudience · developerComplexity · 3/5Setup · moderate

TLDR

A security research lab and proof-of-concept that demonstrates a Next.js WebSocket SSRF bug that can leak cloud credentials.

Mindmap

mindmap
  root((repo))
    What it does
      Documents a Next.js CVE
      Provides exploit PoC
      Runs a Docker lab
    Tech stack
      Python
      Docker Compose
      Next.js
    Use cases
      Study the SSRF bug
      Test if a deployment is vulnerable
      Verify a patched version
    Audience
      Security researchers
      DevOps teams
    Setup
      Needs Docker
      Needs Python 3.10 plus
    Notes
      CVSS 8.6 severity
      No auth required to exploit

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Reproduce CVE-2026-44578 in an isolated Docker lab to understand how it works.

USE CASE 2

Test whether a self-hosted Next.js deployment is vulnerable before patching.

USE CASE 3

Verify that upgrading to a fixed Next.js version blocks the exploit.

USE CASE 4

Study how URL slash normalization bugs can lead to SSRF.

What is it built with?

PythonDockerNext.js

How does it compare?

dinosn/cve-2026-445780marildo/imagoagentlexi/agent-lexi
Stars333
LanguagePythonPythonPython
Setup difficultymoderateeasymoderate
Complexity3/52/54/5
Audiencedevelopergeneralvibe coder

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Docker and Docker Compose to run the lab's five containers.

The README does not state license terms in the shown portion.

In plain English

This repository documents and demonstrates CVE-2026-44578, a security vulnerability found in self-hosted Next.js deployments. It is a security research project, not an app for end users, it exists to explain the bug, prove it works, and let researchers or defenders test it safely in an isolated lab. The vulnerability lives in the WebSocket upgrade handling code inside Next.js's router server. Normally, when Next.js decides whether to forward, or proxy, an incoming request to another address, it checks that routing has actually finished before doing so. The buggy code path skipped that check for WebSocket upgrade requests. Combined with how Next.js cleans up repeated slashes in a URL, a specially crafted request using a URL like http:/// gets its hostname stripped out entirely, and the proxy code then quietly connects to localhost port 80 instead. If anything sensitive happens to be listening there, such as a cloud provider's metadata service that hands out temporary AWS credentials, an attacker can read it with a single unauthenticated request. The bug is rated 8.6 out of 10 in severity, requires no login and no user interaction, and affects a range of Next.js versions from 13.4.13 through 16.2.4 when self-hosted, it is fixed in 15.5.16 and 16.2.5. To let people reproduce and study the issue safely, the repository includes a Docker Compose lab with five containers: a vulnerable Next.js instance, a patched Next.js instance, two fake AWS metadata services attached to each one to stand in for a real cloud instance, and a mock internal service. A Python proof of concept script runs a set of SSRF test probes against a target and reports which ones succeed, and the README includes raw netcat commands for manually sending the crafted WebSocket upgrade request, since ordinary tools like curl cannot construct the unusual URL shape the exploit needs. Screenshots in the repository show the vulnerable instance leaking IAM credentials, instance metadata, and secrets baked into instance startup scripts, and show the same requests being cleanly rejected once the patched version is running.

Copy-paste prompts

Prompt 1
Help me set up the Docker lab in this repo and run the vulnerable and patched Next.js containers.
Prompt 2
Explain step by step how the WebSocket upgrade request in this exploit strips the hostname.
Prompt 3
Walk me through running poc.py against my own Next.js instance to check for this vulnerability.
Prompt 4
Summarize the fix in Next.js 15.5.16 that closes this SSRF vulnerability.

Frequently asked questions

What is cve-2026-44578?

A security research lab and proof-of-concept that demonstrates a Next.js WebSocket SSRF bug that can leak cloud credentials.

What language is cve-2026-44578 written in?

Mainly Python. The stack also includes Python, Docker, Next.js.

What license does cve-2026-44578 use?

The README does not state license terms in the shown portion.

How hard is cve-2026-44578 to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is cve-2026-44578 for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.