Critical RCE Vulnerability Discovered in React Server Components and Next.js (GHSA-9qr9-h5gf-34mp)

Security Advisory

A critical RCE vulnerability (CVE-2025-66478) affects React Server Components and Next.js versions 15.x and 16.x using the App Router. Immediate upgrade is advised.

Critical RCE Vulnerability in React Server Components and Next.js

Published: December 3, 2025

GHSA-ID: GHSA-9qr9-h5gf-34mp

A critical Remote Code Execution (RCE) vulnerability has been identified affecting certain React packages and frameworks that utilize them, including Next.js 15.x and 16.x when using the App Router. This issue is tracked upstream as CVE-2025-55182 and assigned CVE-2025-66478 for this advisory. The vulnerability is related to the deserialization of untrusted data (CWE-502).

Affected Packages & Versions

Package: next (npm)

Affected versions:

  • >=14.3.0-canary.77
  • >=15
  • >=16

This vulnerability specifically impacts React packages for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, and by extension, Next.js versions 15.x and 16.x that use the App Router.

The affected React packages are:

  • react-server-dom-parcel
  • react-server-dom-turbopack
  • react-server-dom-webpack

Patched Versions

Users are strongly urged to upgrade to the following patched versions immediately:

Fixed in React:

  • 19.0.1
  • 19.1.2
  • 19.2.1

Fixed in Next.js:

  • 15.0.5
  • 15.1.9
  • 15.2.6
  • 15.3.6
  • 15.4.8
  • 15.5.7
  • 16.0.7
  • 15.6.0-canary.58
  • 16.1.0-canary.12+

For users on any experimental 14.3 canary builds starting with 14.3.0-canary.77, it is recommended to either downgrade to a stable 14.x release or 14.3.0-canary.76. All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

Severity

Critical - 10.0 CVSS overall score

This vulnerability has received the highest possible severity rating of 10.0 based on the Common Vulnerability Scoring System (CVSS v3.1).

CVSS v3.1 Base Metrics

  • Attack Vector (AV): Network
  • Attack Complexity (AC): Low
  • Privileges Required (PR): None
  • User Interaction (UI): None
  • Scope (S): Changed
  • Confidentiality (C): High
  • Integrity (I): High
  • Availability (A): High

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Explanation of Base Metrics:

  • Attack Vector: Remote (logically and physically) attackers can exploit this vulnerability. More severe the more remote an attacker can be.
  • Attack Complexity: The attack requires minimal effort or prerequisites. More severe for the least complex attacks.
  • Privileges Required: No special user privileges are needed for exploitation. More severe if no privileges are required.
  • User Interaction: No user interaction is necessary for a successful exploit. More severe when no user interaction is required.
  • Scope: The vulnerability allows an attacker to impact resources beyond the security scope of the vulnerable component. More severe when a scope change occurs.
  • Confidentiality: A complete loss of data confidentiality is possible, granting unauthorized access to all information. More severe when loss of data confidentiality is highest.
  • Integrity: A complete loss of data integrity is possible, allowing unauthorized modification of all data. More severe when loss of data integrity is highest.
  • Availability: A complete loss of availability of the impacted component is possible. More severe when the loss of impacted component availability is highest.

Weaknesses

CWE-502: Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid or safe, leading to potential arbitrary code execution.