Scan a self hosted Next.js server to check if it is vulnerable to CVE-2026-44578.
Pull temporary AWS or Azure cloud credentials from a confirmed vulnerable target during authorized testing.
Feed lists of live hosts from other recon tools into a mass SSRF scan.
Check server logs for signs this exploit was attempted against your own infrastructure.
| ynsmroztas/nextssrf | 0xh4ku/manga-pdf-to-epub | ayyouboss0011/sherlockmaps | |
|---|---|---|---|
| Stars | 60 | 60 | 60 |
| Language | Python | Python | Python |
| Setup difficulty | easy | moderate | moderate |
| Complexity | 3/5 | 2/5 | 3/5 |
| Audience | researcher | general | data |
Figures from each repo's GitHub metadata at analysis time.
Needs Python 3.10 or newer, no other dependencies.
NextSSRF is a Python command line tool built to scan for and demonstrate a specific security flaw, CVE-2026-44578, found in Next.js. The bug affects self hosted Next.js deployments running version 13.4.13 through 15.5.15, and separately 16.0.0 through 16.2.4. It lets an attacker send a specially formed HTTP request that tricks the server's WebSocket upgrade handler into forwarding traffic to an address the attacker chooses, a technique known as server side request forgery, or SSRF. In practice this can be used to reach internal services that should never be exposed to the outside world, such as cloud metadata endpoints that hold temporary credentials.\n\nThe tool has no external dependencies beyond Python 3.10 or newer, since it only uses the standard library. It can scan a single target, focus on a specific cloud provider such as AWS or Azure, or run across large lists of hosts piped in from other reconnaissance tools. Once a vulnerable target is confirmed, an interactive shell lets the user detect the cloud provider automatically and, where possible, pull out temporary IAM credentials to show the impact of the flaw.\n\nThe README documents clear limits: only GET requests work, only port 80 is reachable, and common defenses like AWS IMDSv2 or a reverse proxy in front of the application block the attack outright. It also includes a section aimed at defenders, showing what exploitation attempts look like in server logs and how to block them with a simple Nginx rule.\n\nThe project states plainly that it is meant only for authorized security testing and bug bounty work carried out with permission. The author, who describes themselves as an active bug bounty researcher, is clear that misuse of the tool is the user's own responsibility.
A Python tool that scans for and demonstrates CVE-2026-44578, an SSRF flaw in self hosted Next.js servers, for authorized security testing.
Mainly Python. The stack also includes Python.
Free to use, modify, and distribute, including commercially, as long as the copyright notice is kept.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.