Urgent Security Advisory: Next.js Remote Code Execution Vulnerability (CVE-2025-66478)

security

Urgent security advisory: CVE-2025-66478 is a critical RCE (CVSS 10.0) affecting Next.js apps with React Server Components (App Router). Immediate patching for Next.js 15.x/16.x is required.

For applications that were online and unpatched prior to the resolution of this vulnerability, we strongly encourage you to rotate any secrets it uses, starting with your most critical ones.

An npm package, fix-react2shell-next, is available to update affected Next.js applications. Use npx fix-react2shell-next to update now, or refer to its GitHub repository for more details.

A critical vulnerability has been identified in the React Server Components (RSC) protocol. The issue is rated CVSS 10.0 and can allow remote code execution when processing attacker-controlled requests in unpatched environments.

This vulnerability originates in the upstream React implementation (CVE-2025-55182). This advisory (CVE-2025-66478) tracks the downstream impact on Next.js applications using the App Router.

Impact

The vulnerable RSC protocol allowed untrusted inputs to influence server-side execution behavior. Under specific conditions, an attacker could craft requests that trigger unintended server execution paths. This can result in remote code execution in unpatched environments.

All users should upgrade to a patched version immediately; specific instructions are provided below.

Affected Next.js Versions

Applications using React Server Components with the App Router are affected when running:

  • Next.js 15.x
  • Next.js 16.x
  • Next.js 14.3.0-canary.77 and later canary releases

Next.js 13.x, Next.js 14.x stable, Pages Router applications, and the Edge Runtime are not affected.

Fixed Versions

The vulnerability is fully resolved in the following patched Next.js releases:

  • 15.0.5
  • 15.1.9
  • 15.2.6
  • 15.3.6
  • 15.4.8
  • 15.5.7
  • 16.0.7

We also released patched canary releases for Next.js 15 and 16:

  • 15.6.0-canary.58 (for 15.x canary releases)
  • 16.1.0-canary.12 (for 16.x canary releases)

These versions include the hardened React Server Components implementation.

Required Action

All users should upgrade to the latest patched version in their release line:

npm install next@15.0.5 # for 15.0.x
npm install next@15.1.9 # for 15.1.x
npm install next@15.2.6 # for 15.2.x
npm install next@15.3.6 # for 15.3.x
npm install next@15.4.8 # for 15.4.x
npm install next@15.5.7 # for 15.5.x
npm install next@16.0.7 # for 16.0.x
npm install next@15.6.0-canary.58 # for 15.x canary releases
npm install next@16.1.0-canary.12 # for 16.x canary releases

If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:

npm install next@14

If you're currently using canary releases to enable PPR, you can update to 15.6.0-canary.58, which includes a fix for the vulnerability while continuing to support PPR. For other ways to patch older versions, see this discussion post.

Run npx fix-react2shell-next to launch an interactive tool which can check versions and perform deterministic version bumps per the recommended versions above. See the GitHub repository for full details.

npx fix-react2shell-next

There is no workaround—upgrading to a patched version is required.

Rotating Environment Variables

Once you have patched your version and re-deployed your application, we recommend rotating all your application secrets. Learn more about working with environment variables in the relevant documentation.

Discovery

Thank you to Lachlan Davidson for discovering and responsibly disclosing this vulnerability. We are intentionally limiting technical detail in this advisory to protect developers who have not yet upgraded.

Additional Resources

  • Next.js security advisory (CVE-2025-66478)
  • React security advisory (CVE-2025-55182)
  • React blog: Critical Security Vulnerability in React Server Components
  • Vercel Knowledge Base: React2Shell Security Bulletin
  • Netlify Blog: Netlify's response to the critical React security vulnerability
  • AWS Security Blog: China-nexus cyber threat groups rapidly exploit React2Shell vulnerability
  • Google Cloud Blog: Responding to CVE-2025-55182: Secure your React and Next.js workloads
  • Fastly Blog: Fastly's Proactive Protection for React2Shell, Critical React RCE CVE-2025-55182 and CVE-2025-66478
  • Akamai Blog: CVE-2025-55182: React and Next.js Server Functions Deserialization RCE