Urgent: Next.js CVE-2025-66478 Vulnerability: What You Need to Know and Do Now

Immediate Action Required for Next.js Security

Get All The Latest to Your Inbox!

Advertise Here!

Gain premium exposure to our growing audience of professionals. Learn More

Inquire Now

A critical flaw has put Next.js applications using React Server Components (RSC) and the App Router at serious risk. This vulnerability, identified as CVE-2025-66478 and scoring a maximum 10.0 on the CVSS scale, allows attackers to execute malicious code remotely if your server is unpatched. Swift action is essential to safeguard your apps and data from potential exploitation.

Understanding CVE-2025-66478

The root of this vulnerability lies in a protocol issue within React Server Components, as detailed in CVE-2025-55182. In practice, attackers can exploit untrusted input to manipulate server-side execution in Next.js.

This makes it possible for them to trigger unintended server operations and, ultimately, execute arbitrary code on your infrastructure. If your Next.js app is not up to date, it is exposed to this severe threat.

Who Should Be Concerned?

Next.js 15.x and 16.x installations are directly affected.
Next.js 14.3.0-canary.77 and later canary releases are also at risk.
Earlier stable versions (13.x, 14.x), instances using the Pages Router, or those running on the Edge Runtime are not impacted.

Patch Now: How to Protect Your Application

The Next.js development team has released urgent patches. To ensure security, upgrade to the latest version in your release line:

For Next.js 15.x, update to 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, or 15.5.7.
For Next.js 16.x, upgrade to 16.0.7.
Canary users should adopt 15.6.0-canary.58 (for 15.x) or 16.1.0-canary.12 (for 16.x).
If running Next.js 14.3.0-canary.77 or later, downgrade to the latest stable 14.x release.

There is no workaround, upgrading is the only way to resolve this risk. For a guided upgrade, use the npx fix-react2shell-next tool. If you need features like PPR, patched canary builds are available. Staying on an unpatched version leaves your app open to attack.

Discovery and Responsible Disclosure

Security researcher Lachlan Davidson identified and responsibly reported the flaw. To shield organizations that have not yet updated, the full technical details are being withheld for now.

Further Reading and Official Guidance

Key Takeaway

Keeping dependencies updated is vital for security, especially with cutting-edge features like React Server Components. Review your Next.js version now, upgrade immediately if needed, and use the official tools to confirm your environment’s safety. Delaying patches exposes your application to remote code execution threats, act now to protect your users and business.

Source: Next.js Security Advisory: CVE-2025-66478

in News

# CVE-2025-66478 Next.js patching React Server Components remote code execution security vulnerability

Source: https://nextjs.org/blog/CVE-2025-66478

Joshua Berkowitz December 7, 2025

Share this post

blogs

Our latest content

Check out what's new !

See all

Ads

Prompt Maker Image Generator

Struggling with the perfect AI image prompt? My free app helps you generate brilliant ideas and instantly creates an image to match. Go from concept to creation in two clicks!

Try It

Most Popular Articles

Check out what the hot topics are!