A new critical security vulnerability has been identified in the React Server Components (RSC) protocol, affecting Next.js applications that rely on the App Router. Tracked as CVE-2025-66478, this issue carries a CVSS score of 10.0, reflecting the highest severity level due to the potential for remote code execution (RCE) in unpatched environments.
Get ₹2,000 free credits to test your AI workloads
Sign up and complete ID verification to unlock free credits. Deploy on NVIDIA H200, H100, and L40S GPUs—no commitment required.
Overview of the Vulnerability
The vulnerability originates from a flaw in the upstream React implementation (CVE-2025-55182).
Since Next.js builds upon the same RSC protocol, the issue cascades downstream and directly affects applications built with the App Router.
When exploited, the flawed RSC protocol allows untrusted client-side inputs to influence server-side execution. Under specific conditions, attackers can craft malicious RSC payloads that manipulate server operations, potentially leading to remote code execution.
There are currently no workarounds available. Upgrading to patched versions is the only effective remediation.
Impact
If exploited successfully, CVE-2025-66478 may allow attackers to:
- Execute arbitrary code on the server
- Access or modify sensitive application or server data
- Escalate privileges within the system
- Fully compromise Next.js deployments that use the App Router
Get ₹2,000 free credits to test your AI workloads
Sign up and complete ID verification to unlock free credits. Deploy on NVIDIA H200, H100, and L40S GPUs—no commitment required.
Affected Next.js Versions
Your Next.js application is vulnerable if it meets both conditions:
- It uses React Server Components (RSC)
- It is built using the App Router
Vulnerable release lines:
- Next.js 15.x
- Next.js 16.x
- Next.js 14.3.0-canary.77 and later canary releases
Not affected:
- Next.js 13.x
- Next.js 14.x stable releases
- Applications using the Pages Router
- Deployments running on the Edge Runtime
Patched (Safe) Versions
Next.js 15 patched releases:
- 15.0.5
- 15.1.9
- 15.2.6
- 15.3.6
- 15.4.8
- 15.5.7
Next.js 16:
- 16.0.7
Canary patched releases:
- 15.6.0-canary.58
- 16.1.0-canary.12
How to Apply the Patch
Use the following upgrade commands:
npm install next@15.0.5
npm install next@15.1.9
npm install next@15.2.6
npm install next@15.3.6
npm install next@15.4.8
npm install next@15.5.7
npm install next@16.0.7Canary users:
npm install next@15.6.0-canary.58
npm install next@16.1.0-canary.12If using 14.3.0-canary.77 or newer, downgrade to stable 14.x:
npm install next@14Automatic Detection and Fixing
Next.js provides an automated tool that detects vulnerable versions, recommends patched releases, and performs deterministic upgrades. This is recommended for CI/CD and enterprise teams.
npx fix-react2shell-nextRotate All Secrets After Upgrade
After updating and redeploying, rotate:
- Database credentials
- API keys
- Authentication tokens
- Third-party integration keys
- Encryption keys
Conclusion
CVE-2025-66478 represents one of the most severe vulnerabilities identified in Next.js. Immediate patching and secret rotation are essential to protect affected applications.