whatisgithub

What is nextssrf?

ynsmroztas/nextssrf — explained in plain English

Analysis updated 2026-05-18

60PythonAudience · researcherComplexity · 3/5LicenseSetup · easy

In one sentence

A Python tool that scans for and demonstrates CVE-2026-44578, an SSRF flaw in self hosted Next.js servers, for authorized security testing.

Mindmap

mindmap
  root((nextssrf))
    What it does
      Scans for CVE-2026-44578
      Demonstrates SSRF impact
      Extracts cloud IAM creds
    Tech stack
      Python 3.10+
      Standard library only
    Use cases
      Bug bounty testing
      Blue team detection
      Mass host scanning
    Audience
      Security researchers
      Bug bounty hunters
    Limitations
      GET only
      Port 80 only
      Blocked by reverse proxies

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a self hosted Next.js server to check if it is vulnerable to CVE-2026-44578.

USE CASE 2

Pull temporary AWS or Azure cloud credentials from a confirmed vulnerable target during authorized testing.

USE CASE 3

Feed lists of live hosts from other recon tools into a mass SSRF scan.

USE CASE 4

Check server logs for signs this exploit was attempted against your own infrastructure.

What is it built with?

Python

How does it compare?

ynsmroztas/nextssrf0xh4ku/manga-pdf-to-epubayyouboss0011/sherlockmaps
Stars606060
LanguagePythonPythonPython
Setup difficultyeasymoderatemoderate
Complexity3/52/53/5
Audienceresearchergeneraldata

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Needs Python 3.10 or newer, no other dependencies.

Free to use, modify, and distribute, including commercially, as long as the copyright notice is kept.

So what is it?

NextSSRF is a Python command line tool built to scan for and demonstrate a specific security flaw, CVE-2026-44578, found in Next.js. The bug affects self hosted Next.js deployments running version 13.4.13 through 15.5.15, and separately 16.0.0 through 16.2.4. It lets an attacker send a specially formed HTTP request that tricks the server's WebSocket upgrade handler into forwarding traffic to an address the attacker chooses, a technique known as server side request forgery, or SSRF. In practice this can be used to reach internal services that should never be exposed to the outside world, such as cloud metadata endpoints that hold temporary credentials.\n\nThe tool has no external dependencies beyond Python 3.10 or newer, since it only uses the standard library. It can scan a single target, focus on a specific cloud provider such as AWS or Azure, or run across large lists of hosts piped in from other reconnaissance tools. Once a vulnerable target is confirmed, an interactive shell lets the user detect the cloud provider automatically and, where possible, pull out temporary IAM credentials to show the impact of the flaw.\n\nThe README documents clear limits: only GET requests work, only port 80 is reachable, and common defenses like AWS IMDSv2 or a reverse proxy in front of the application block the attack outright. It also includes a section aimed at defenders, showing what exploitation attempts look like in server logs and how to block them with a simple Nginx rule.\n\nThe project states plainly that it is meant only for authorized security testing and bug bounty work carried out with permission. The author, who describes themselves as an active bug bounty researcher, is clear that misuse of the tool is the user's own responsibility.

Copy-paste prompts

Prompt 1
Explain how CVE-2026-44578 lets an attacker reach cloud metadata endpoints through a Next.js WebSocket handler.
Prompt 2
Help me write an Nginx rule that blocks absolute-form request URIs like the one nextssrf.py sends.
Prompt 3
Walk me through using nextssrf.py to test my own Next.js staging server for this SSRF bug.
Prompt 4
Show me how to pipe subfinder and httpx output into nextssrf.py for a mass authorized scan.

Frequently asked questions

What is nextssrf?

A Python tool that scans for and demonstrates CVE-2026-44578, an SSRF flaw in self hosted Next.js servers, for authorized security testing.

What language is nextssrf written in?

Mainly Python. The stack also includes Python.

What license does nextssrf use?

Free to use, modify, and distribute, including commercially, as long as the copyright notice is kept.

How hard is nextssrf to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is nextssrf for?

Mainly researcher.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.