Next.js v16.2.4 Security PoC Collection is a specialized research repository that reverse-engineers proof-of-concept material for twelve security advisories fixed in the subsequent v16.2.5 release. Developed by dwisiswant0 and reverse-engineered with ProjectDiscovery's Neo tool, this project provides defensive researchers and security engineers with concrete exploit primitives and regression test cases for a critical patch window in Next.js history. The collection is explicitly designed for vulnerability analysis, detection logic development, and ensuring patched environments remain secure against regressions.

Architecture

The repository follows a clean, documentation-driven layout centered on the Neo analysis workspace. At its root, SUMMARY.md provides a commit-level diff analysis between v16.2.4 and v16.2.5, isolating the security-relevant commits that motivated the collection. The core content lives in the poc/ directory, structured as a bundle per advisory. Each subdirectory—named for its CVE and GHSA identifier—contains a consistent set of materials: a detailed README.md explaining the issue and exploit chain, excerpts of vulnerable-code.md, the upstream patch.diff, runnable primitives like exploit.py or exploit.sh, expected behavior in expected-output.txt, and occasionally a minimal vulnerable-app/ stub for reproduction. This design makes each PoC a self-contained unit for testing, with the entire collection unified under a single run-all.sh wrapper.

The project is implemented in Python, leveraging the language's simplicity for exploit scripting, and was built using Neo's capability to dissect and reconstruct vulnerability patterns from source changes. This approach prioritizes clarity and reproducibility over raw exploitation, aligning with its stated defensive purpose.

What you can do with it

The primary interaction is running exploits against a target Next.js v16.2.4 instance to verify vulnerability or test detection rules. A single advisory can be targeted directly via its exploit.sh, for example:

TARGET=http://localhost:3000 ./poc/CVE-2026-44574_GHSA-492v-c6pp-mqqv/exploit.sh

Alternatively, the run-all.sh script automates testing across all twelve advisories in sequence. Each PoC is engineered to demonstrate the specific flaw—whether it's a DoS via server-action streaming, a middleware bypass, connection exhaustion, or cache poisoning—using the minimal necessary payload. The included vulnerable-app/ stubs are particularly useful when setting up a full Next.js environment would be overkill, allowing researchers to validate the core logic in isolation.

The README's poc/README.md serves as the definitive guide, offering a severity breakdown, hosting-model applicability notes (e.g., self-hosted only for certain WebSocket and image optimizer issues), and the methodology behind each PoC's construction. This makes the collection not just a set of exploits, but a reference for understanding the security evolution of Next.js during that release cycle.

Constraints and gotchas

The material is locked to a specific version pair: the exploits assume a vulnerable v16.2.4 target, and the fixes are found in v16.2.5. This tight focus is a strength for regression testing but limits direct applicability to newer Next.js versions, which may require adapting the primitives. Several advisories—like the WebSocket SSRF (CVE-2026-44578) and image optimizer decompression bomb (CVE-2026-44577)—are marked "self-hosted only," meaning they cannot be exploited in the Vercel-hosted environment, a critical consideration for cloud users.

The severity spectrum ranges from high (DoS, bypasses) to low (weak cache hashes, header redirect cache poisoning), so not every PoC represents a critical threat. Researchers should consult the detailed CVSS and CWE mappings in poc/README.md to prioritize. Finally, while the exploits are designed for defensive use, testing should only occur on systems you own or are explicitly authorized to assess.

Getting started

Begin by reading SUMMARY.md for the release analysis, then the main poc/README.md for the full advisory matrix. From there, select a PoC directory and follow its local README.md for specific setup. The exploit scripts are the primary interface—set the TARGET environment variable and execute. For the complete picture, the README holds all installation and prerequisite details; this article does not replicate those steps.

When to use it

This collection is invaluable for security researchers maintaining regression test suites, developers auditing legacy Next.js v16 applications, and detection engineers building signatures for vulnerability scans. It offers a faster, more structured alternative to manually diffing patch commits or scouring vulnerability reports for reproducible steps. However, for those working with modern Next.js versions (v17+), the direct relevance diminishes unless investigating variant analysis or historical patterns. The project sits alongside other security research tools like the GitHub Security Lab's examples or vendor advisories—it's a niche, time-bound resource with enduring value for defensive testing.

The source is on GitHub and was reverse-engineered with the Neo workspace at https://neo.projectdiscovery.io/share/d250e203-4313-4be3-b108-837c2f8ea693.