CVE-2025-66478

Name of the Vulnerable Software and Affected Versions Next.js versions 14.3.0-canary.77 through 16.0.7 Next.js versions 15.x Next.js versions 16.x

Description A critical remote code execution (RCE) vulnerability exists in Next.js applications utilizing the App Router. This flaw, identified as CVE-2025-66478, allows attackers to execute arbitrary code on the server through crafted HTTP requests. The vulnerability stems from weaknesses in the React Server Components (RSC) protocol, enabling untrusted inputs to influence server-side execution. Exploitation requires control over the serverManifest, potentially necessitating a Prototype Pollution primitive. Vercel has taken action to block deployments of vulnerable applications. Reports indicate that exploitation is occurring in the wild, and standard Web Application Firewall (WAF) rules may not provide sufficient long-term protection. The vulnerability impacts over 700 publicly exposed KaraKeep instances.

Recommendations Next.js versions 14.3.0-canary.77 through 16.0.7: Upgrade to a patched version, such as 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7. Next.js version 15.x: Upgrade to a patched version, such as 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, or 15.5.7. Next.js version 16.x: Upgrade to version 16.0.7.