How the Attack Works
A serious security vulnerability has been discovered in self-hosted Next.js applications. The flaw is a Server-Side Request Forgery (SSRF) issue, which allows an attacker to send specially crafted WebSocket requests to the built-in Node.js server. The server then mistakenly acts as a proxy, forwarding these malicious requests to internal or external destinations. Because the request originates from the trusted server itself, it can bypass external firewalls and access normally protected systems.
This positions the attacker to query internal network services, reach unprotected administration dashboards, and critically, connect to cloud metadata endpoints. These metadata endpoints are a prime target as they often contain temporary IAM credentials, API tokens, and other deployment secrets. The vulnerability specifically impacts applications that manage their own hosting infrastructure and rely on the default Node.js server.
Impact and Required Action
The consequences of this flaw are severe, ranging from stolen cloud credentials and API keys to full network compromise through pivoting into internal systems. Vercel-hosted applications are not affected by this issue. The development team has released patches that implement strict safety checks for WebSocket upgrade handling, ensuring the server only forwards requests when configurations explicitly mark them as safe external rewrites.
Organizations are strongly advised to upgrade to the latest patched versions of Next.js immediately. For those unable to patch, network level controls are critical. Administrators should configure reverse proxies or load balancers to block all WebSocket upgrade requests if the application does not use them. Additionally, security teams must restrict the server’s outbound traffic to deny access to internal cloud metadata services and unrelated internal networks.
Source: Cyber Security News
