Source: https://nextjs.org/blog/CVE-2025-66478#required-action
Overview
A critical vulnerability has been identified in the React Server Components (RSC) protocol. Rated CVSS 10.0, this vulnerability may allow remote code execution when attacker-controlled requests are processed in unpatched environments.
This issue originates from the upstream React implementation (CVE-2025-55182). This advisory (CVE-2025-66478) tracks the downstream impact on Next.js applications using the App Router.
Impact
The vulnerable RSC protocol allowed untrusted inputs to influence server-side execution behavior. Under specific conditions, an attacker could craft requests that trigger unintended execution paths, potentially resulting in remote code execution.
Affected Next.js Versions
- Next.js 15.x\
- Next.js 16.x\
- Next.js 14.3.0-canary.77 and later canary releases
Not Affected
- Next.js 13.x\
- Next.js 14.x stable\
- Pages Router\
- Edge Runtime
Fixed Versions
The vulnerability is fully resolved in the following releases:
- 15.0.5\
- 15.1.9\
- 15.2.6\
- 15.3.6\
- 15.4.8\
- 15.5.7\
- 15.6.0-canary.58\
- 16.0.7
Required Action
Upgrade to the latest patched version:
npm install [email protected]
npm install [email protected]
npm install [email protected]
npm install [email protected]
npm install [email protected]
npm install [email protected]
npm install [email protected]
If you are on a canary release:
npm install next@14
If you need canary to continue using PPR:
npm install [email protected]
Discovery
Special thanks to Lachlan Davidson for discovering and responsibly disclosing this vulnerability.