CVE-2025-66478

Name of the Vulnerable Software and Affected Versions Next.js versions 14.3.0-canary.77 and later canaries, 15.x, and 16.x. Patched versions include 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7.

Description A critical Remote Code Execution (RCE) vulnerability exists in Next.js, specifically affecting applications using the App Router. This vulnerability, identified as CVE-2025-66478, stems from an insecure deserialization flaw within the React Server Components (RSC) protocol. An unauthenticated attacker can exploit this flaw by sending a crafted HTTP request, potentially leading to arbitrary code execution on the server. Exploitation has been observed in the wild, with attackers deploying cryptominers and attempting to steal sensitive data. The vulnerability impacts a large number of systems, with reports indicating over 968,000 instances of React and Next.js potentially affected. The vulnerability allows attackers to execute shell commands, steal sensitive data, install persistent backdoors, and potentially move laterally within a network.

Recommendations Upgrade to Next.js version 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7. Use the npx fix-react2shell-next command to automatically update affected Next.js applications. If using Docker, ensure containers do not run as root; create a dedicated user for the Next.js application. Rotate all sensitive credentials, including database passwords, API keys, and environment variables. Consider implementing a Web Application Firewall (WAF) for added protection.