CVE-2025-66478

Name of the Vulnerable Software and Affected Versions Next.js versions 14.3.0-canary.77 and later canaries, 15.x, and 16.x.

Description A critical Remote Code Execution (RCE) vulnerability (CVE-2025-66478) exists in Next.js applications utilizing the App Router. This vulnerability, affecting React Server Components, allows attackers to execute arbitrary code on the server through crafted HTTP requests. Exploitation has been observed in the wild, with attackers deploying cryptominers and attempting data theft. The vulnerability stems from insecure deserialization within the React Server Components protocol. The issue is exacerbated when Docker containers are run as root, potentially allowing attackers to gain persistent access. Several groups, including those associated with China, have been observed exploiting this vulnerability. The vulnerability allows attackers to execute shell commands, steal sensitive data, install backdoors, and potentially move laterally within a network. A scanner and fix utility (

npx fix-react2shell-next

) have been released to address this issue. Vercel has implemented measures to block deployments of vulnerable applications and is actively monitoring for exploitation attempts.

The vulnerability allows attackers to send a crafted request that is interpreted as code during RSC processing, leading to remote code execution. The attack vector involves exploiting a flaw in the

serverManifest

.

Recommendations Upgrade to Next.js version 16.0.7 or later. If using a canary release, upgrade to 16.1.0-canary.12 or later. If unable to upgrade, consider downgrading to a stable version of Next.js 13.x or 14.x. Ensure Docker containers are not running as root; configure them to run as a non-root user. Rotate all sensitive credentials and review IAM permissions. Implement a Web Application Firewall (WAF) for added protection. Utilize the

npx fix-react2shell-next

utility to automatically patch affected applications.