🚨 New Next.js CVE: CVE-2026-44578. High-severity SSRF via WebSocket Upgrade handling in self-hosted Next.js apps using the built-in Node.js server. Unauthenticated. Network-reachable. CVSS 8.6 High. Vercel-hosted deployments are not affected. If you run Next.js on your own infra, read on 🧵

What happens? A crafted WebSocket Upgrade request can make the Next.js server proxy traffic to an attacker-controlled destination. In self-hosted environments, that can expose internal services, cloud metadata endpoints, or other network-reachable resources from the Next.js host.