CVE-2025-66478

Name of the Vulnerable Software and Affected Versions react-server-dom-webpack (affected versions not specified) react-server-dom-parcel (affected versions not specified) react-server-dom-turbopack (affected versions not specified) Next.js versions prior to 16.0.7

Description A deserialization flaw exists in the requireModule() function of the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages when processing the hasOwnProperty parameter. This issue allows a remote attacker to execute arbitrary code by sending a specially crafted HTTP request.

Telemetry indicates a massive scale of exposure, with over 968,000 instances of React and Next.js identified, and more than 77,000 internet-facing IP addresses confirmed as vulnerable. Real-world exploitation has been widespread, affecting over 50 organizations across sectors such as finance, government, and high technology. Attackers have used this flaw to deploy cryptocurrency miners (e.g., XMRig), botnets (e.g., Mirai, RondoDox), and various malware strains including the PeerBlight Linux backdoor, CowTunnel reverse proxy, and ZinFoq post-exploitation implant. Some campaigns have targeted AWS configuration files and credentials.

Recommendations Update Next.js to version 16.0.7 or newer. For applications using React Server components, immediately apply available updates, rebuild, and redeploy the applications. As a mitigation measure, ensure Docker containers are not running as root; create a system user (e.g., adduser --system nextjs) and switch to that user (USER nextjs) in the Dockerfile to prevent attackers from installing persistence scripts or system-level malware.