Source: https://nextjs.org/blog/CVE-2025-66478#required-action
Overview
A critical vulnerability has been identified in the React Server Components (RSC) protocol. Rated CVSS 10.0, this vulnerability may allow remote code execution when attacker-controlled requests are processed in unpatched environments.
This issue originates from the upstream React implementation (CVE-2025-55182). This advisory (CVE-2025-66478) tracks the downstream impact on Next.js applications using the App Router.
Impact
The vulnerable RSC protocol allowed untrusted inputs to influence server-side execution behavior. Under specific conditions, an attacker could craft requests that trigger unintended execution paths, potentially resulting in remote code execution.
Affected Next.js Versions
- Next.js 15.x\
- Next.js 16.x\
- Next.js 14.3.0-canary.77 and later canary releases
Not Affected
- Next.js 13.x\
- Next.js 14.x stable\
- Pages Router\
- Edge Runtime
Fixed Versions
The vulnerability is fully resolved in the following releases:
- 15.0.5\
- 15.1.9\
- 15.2.6\
- 15.3.6\
- 15.4.8\
- 15.5.7\
- 15.6.0-canary.58\
- 16.0.7
Required Action
Upgrade to the latest patched version:
npm install next@15.0.5
npm install next@15.1.9
npm install next@15.2.6
npm install next@15.3.6
npm install next@15.4.8
npm install next@15.5.7
npm install next@16.0.7
If you are on a canary release:
npm install next@14
If you need canary to continue using PPR:
npm install next@15.6.0-canary.58
Discovery
Special thanks to Lachlan Davidson for discovering and responsibly disclosing this vulnerability.