tenable.com
CVE-2026-44578
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket...
从13.4.13到15.5.16和16.2.5之前,使用内置Node.js服务器的自托管应用可能因定制的WebSocket升级请求而遭受服务器端请求伪造。攻击者可以让服务器代理请求到任意的内部或外部目的地,这可能会暴露内部服务或云元数据端点。Vercel托管的部署不受影响。该漏洞在15.5.16和16.2.5版本中修复。
GitHub
Server-side request forgery in applications using WebSocket upgrades
### Impact Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the serve...
5 个帖子 - 4 位参与者
来源: LinuxDo 最新话题查看原文