Next.js Server-Side Request Forgery Vulnerability via WebSocket Upgrades

A server-side request forgery (SSRF) vulnerability has been identified in Next.js, a React framework for full-stack web applications. This issue affects self-hosted applications using the built-in Node.js server, specifically versions 13.4.13 prior to 15.5.16 and 16.0.0 prior to 16.2.5. The vulnerability arises from crafted WebSocket upgrade requests that can manipulate the server into proxying requests to arbitrary internal or external destinations. This could potentially expose internal services or cloud metadata endpoints. Notably, deployments hosted on Vercel are not affected.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server proxy requests to unintended internal or external locations, possibly exposing sensitive internal services or cloud metadata.

Remediation

Users can upgrade to Next.js versions 15.5.16 or 16.2.5, where this vulnerability has been patched. If an immediate upgrade is not possible, it is recommended to avoid exposing the origin server to untrusted networks. For applications that do not require WebSocket upgrades, these can be blocked at the reverse proxy or load balancer. Additionally, restrict outgoing connections to internal networks and metadata services when possible.