Source Code
  • 72 Views
  • 08/12/2025

CVE-2025-66478 - Critical Remote Code Execution in Next.js

On December 3, 2025, the maintainers of Next.js issued a security advisory for CVE-2025-66478 - a critical remote code execution (RCE) vulnerability. Next.js+2GitHub+2
This vulnerability arises from a flaw in how React Server Components (RSC) handle serialized data (the “Flight” protocol), allowing malicious input to influence server-side execution logic. Unit 42+2React+2

Although the root issue originates in React (tracked as CVE-2025-55182), Next.js - when used with its App Router and RSC enabled - inherits the risk under CVE-2025-66478

What’s the risk? What can an attacker do?

  • The flaw allows unauthenticated remote attackers to send a carefully crafted HTTP request with maliciously serialized payload. wiz.io+2Tenable®+2

  • Upon processing such a request, the server may execute arbitrary JavaScript code - leading to full remote code execution (RCE) with privileges of the server process. Next.js+2Fastly+2

  • Potential consequences include: reading or modifying sensitive data (environment variables, credentials), deploying backdoors or web-shells, lateral movement within infrastructure, or even ransomware/other malicious payloads. Sysdig+2Bitsight+2

Security researchers warn that exploitation is “imminent,” given how widespread React/Next.js is - an estimate suggests up to 39% of cloud environments may have vulnerable React/Next.js instances.

Affected Versions (at time of disclosure)

Next.js applications are vulnerable when using RSC + App Router and running any of the following: GitHub+2Next.js+2

  • Next.js 15.x

  • Next.js 16.x

  • Next.js 14.3.0-canary.77 and later canary builds

Patched (safe) Next.js versions: Next.js+2GitHub+2

  • 15.0.5

  • 15.1.9

  • 15.2.6

  • 15.3.6

  • 15.4.8

  • 15.5.7

  • 16.0.7

If you are on a canary build (14.3.0-canary.77 or above), the recommendation is to downgrade to the latest stable 14.x release.

Why this matters - and why it’s especially dangerous

  • The vulnerability exists at the framework/protocol level (React Server Components Flight protocol), before application-level logic - meaning even apps that don’t intentionally use server functions could still be at risk. React+2Aikido+2

  • Exploitation requires no authentication, no prior configuration mistakes, and works out-of-the-box in default setups. wiz.io+2Aikido+2

  • Because Next.js and React are used extensively worldwide, the potential impact spans a large portion of web applications - making it a high-priority fix for many organizations.

What to do - Mitigation & Remediation

To protect your applications (or those of your clients), take the following actions immediately:

  1. Upgrade Next.js to one of the patched versions listed above (15.0.5 / 15.1.9 / … / 16.0.7) if you use App Router + RSC. Next.js+2GitHub+2

  2. If you are on a canary build (14.3.0-canary.77 or later), downgrade to the latest stable 14.x release. Next.js

  3. Audit your dependencies - ensure none of your transitive dependencies include vulnerable React Server Component packages (e.g. react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) if applicable. Aikido+1

  4. If you run public-facing apps and cannot patch immediately, consider deploying WAF (web application firewall) rules to block suspicious RSC/Flight-protocol payload patterns - some cloud providers and WAF vendors have already released temporary protective rules. Google Cloud+2Fastly+2

  5. After patching, re-scan and test your application to ensure no vulnerable components remain. Use scanning tools or dependency audit tools to confirm.

Context & Broader Implications

This vulnerability — also known as React2Shell (referring to the upstream defect CVE-2025-55182) — highlights how modern web frameworks’ increasing complexity (server-side components, serialization protocols, etc.) can introduce subtle but critical security risks. React2Shell+2The Hacker News+2

Because the flaw is protocol-level and not caused by misconfiguration, it serves as a reminder: even default-installation applications — including freshly generated ones via tools like create-next-app — can be vulnerable. Upwind+2React+2

For companies relying on Next.js or React Server Components — especially for production, public-facing services — the urgency is high: unpatched servers exposed to the internet could be compromised with a single request. The Register+2

Thanks for visit mywebsite