CVE-2025-66478 | Next.js / React Server Components RCE

December 5, 2025 Freddy Error Fix 0

VE-2025-66478 is a critical vulnerability affecting Next.js applications that utilize React Server Components (RSC). It allows an unauthenticated remote attacker to execute arbitrary code on the server.

CVE-2025-66478: Next.js / React Server Components RCE

Status: Critical (CVSS 10.0)

Vulnerability Type: Remote Code Execution (RCE) via Insecure Deserialization

Affected Software: Next.js (specifically applications using the App Router)

Upstream Root Cause: CVE-2025-55182 (React)

Overview

CVE-2025-66478 is a critical vulnerability affecting Next.js applications that utilize React Server Components (RSC). It allows an unauthenticated remote attacker to execute arbitrary code on the server.

Note on CVE Status: You may see this CVE listed as “Rejected” or a “Duplicate” in some databases (like NVD). This is procedural; the vulnerability is real, but it is technically a duplicate of the upstream React vulnerability (CVE-2025-55182). However, CVE-2025-66478 is still the primary identifier used to track the specific impact on Next.js.

Also Read : 500 Internal Server Error Cloudflare | How to Fix

Technical Details

  • Root Cause: The vulnerability exists in the React Server Components (RSC) “Flight” protocol. It involves insecure deserialization of payload data sent to the server.

  • Attack Vector: An attacker can send a specially crafted HTTP request to a Next.js server (targeting Server Actions or App Router endpoints). The server fails to properly validate the structure of the incoming payload, allowing the attacker to manipulate server-side execution logic.

  • Authentication: No authentication is required to exploit this flaw.

  • Impact: Full server compromise (Remote Code Execution).

Affected Versions

This vulnerability affects Next.js projects using the App Router.

  • Next.js 15.x (Prior to patched versions)

  • Next.js 16.x (Prior to patched versions)

  • Next.js 14.3.0-canary.77 and later canary releases.

Note: Next.js 13.x, Next.js 14.x (stable), and Pages Router applications are not affected.

Remediation & Patches

Immediate patching is required. Upgrade your Next.js dependency to one of the following fixed versions (or newer):

Release LineFixed Version (Minimum)
Next.js 1616.0.7
Next.js 1515.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, 15.0.5
Next.js 14 (Canary)Downgrade to stable v14 or upgrade to 15.x

Next Steps

  1. Check your package.json to see if you are using an affected version of next.

  2. Run npm audit or your preferred SCA tool to verify vulnerable dependencies.

  3. Update immediately:

    Bash
    npm install next@latest
# OR for a specific version line
npm install next@15.5.7

Be the first to comment

Leave a Reply