aikido.dev Secure My Code

Intel/AIKIDO-2026-10758

AIKIDO-2026-10758

next is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF)GHSA-c4j6-fc7j-m34r Published May 7, 2026

86

High Risk

This Affects:

13.4.13 - 15.5.15

Fixed in 15.5.16

16.0.0 - 16.2.4

Fixed in 16.2.5

Are you affected? Scan for Free

TL;DR

WebSocket upgrade proxying in self-hosted deployments can be abused to reach arbitrary destinations. Crafted upgrade requests can trigger outbound proxy behavior toward internal or external targets. This creates server-side request forgery risk and possible exposure of internal services. The fix applies existing external rewrite safety checks to upgrade handling.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

next is vulnerable to Server-Side Request Forgery (SSRF) in versions 13.4.13 - 15.5.15 and 16.0.0 - 16.2.4.

How to fix this

Upgrade the next library to the patch version.

86

High Risk

This Affects:

13.4.13 - 15.5.15

Fixed in 15.5.16

16.0.0 - 16.2.4

Fixed in 16.2.5

Are you affected? Scan for Free

Links

github.com/vercel/next.js/releases/tag/v15.5.16

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Free. No credit card required.

Aikido Platform

Company

Resources

Industries

Use Cases

Compare

Legal

Connect

hello@aikido.dev

Security

Subscribe

Stay up to date with all updates

LinkedIn YouTube X

© 2026 Aikido Security BV | BE0792914919

Keizer Karelstraat 15, 9000, Ghent, Belgium

95 Third St, 2nd Fl, San Francisco, CA 94103, US

Unit 6.15 Runway East 18 18 Crucifix Ln, London SE1 3JW UK

Ghent, Belgium | San Francisco, US

SOC 2

ISO 27001

ISO 27001Compliant

Get Security Done